summaryrefslogtreecommitdiff
path: root/editeng
diff options
context:
space:
mode:
authorCaolán McNamara <caolanm@redhat.com>2021-03-27 20:53:53 +0000
committerCaolán McNamara <caolanm@redhat.com>2021-03-28 15:37:12 +0200
commite8944ef20974cf44d2e25667c6c34d231d9a66e3 (patch)
treec924634040fefee17ab43773df3130a8cf7ddb55 /editeng
parente11c51eefe8c3210cef2b5850f401ba67a401d01 (diff)
cid#1473839 Untrusted loop bound
Change-Id: Iedb13791e19f635117040698e1fc45a5c1c3968d Reviewed-on: https://gerrit.libreoffice.org/c/core/+/113235 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'editeng')
-rw-r--r--editeng/source/items/numitem.cxx6
1 files changed, 6 insertions, 0 deletions
diff --git a/editeng/source/items/numitem.cxx b/editeng/source/items/numitem.cxx
index 5873cfb05781..0c48262f323f 100644
--- a/editeng/source/items/numitem.cxx
+++ b/editeng/source/items/numitem.cxx
@@ -645,6 +645,12 @@ SvxNumRule::SvxNumRule( SvStream &rStream )
rStream.ReadUInt16( nTmp16 ); // NUM_ITEM_VERSION
rStream.ReadUInt16( nLevelCount );
+ if (nLevelCount > SVX_MAX_NUM)
+ {
+ SAL_WARN("editeng", "nLevelCount: " << nLevelCount << " greater than max of: " << SVX_MAX_NUM);
+ nLevelCount = SVX_MAX_NUM;
+ }
+
// first nFeatureFlags of old Versions
rStream.ReadUInt16( nTmp16 ); nFeatureFlags = static_cast<SvxNumRuleFlags>(nTmp16);
rStream.ReadUInt16( nTmp16 ); bContinuousNumbering = nTmp16;
generated by cgit v1.2.3 (git 2.39.1) at 2024-04-28 16:05:13 +0000