diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2014-10-23 10:43:52 +0100 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2014-10-23 11:13:24 +0100 |
| commit | 04d34c63c7f988eb285366e899f899ccd7109482 (patch) | |
| tree | 3f380a112d13e00922e923883d43106ff5c55bb9 /filter | |
| parent | d4617ef9c371baaadd948ffe7285d197d2d97107 (diff) | |
coverity#1242688 Untrusted loop bound
Change-Id: Ic3e2c390de22d3e998daf760d73619218da020ec
Diffstat (limited to 'filter')
| -rw-r--r-- | filter/source/msfilter/svdfppt.cxx | 50 |
1 files changed, 31 insertions, 19 deletions
diff --git a/filter/source/msfilter/svdfppt.cxx b/filter/source/msfilter/svdfppt.cxx index 36524ebc48b6..0475f0cbb361 100644 --- a/filter/source/msfilter/svdfppt.cxx +++ b/filter/source/msfilter/svdfppt.cxx @@ -4507,7 +4507,9 @@ PPTTextRulerInterpreter::PPTTextRulerInterpreter( sal_uInt32 nFileOfs, SdrPowerP } if ( nFileOfs ) { - sal_Int16 nTCount; + bool bRecordOk = true; + + sal_Int16 nTCount(0); sal_Int32 i; rIn.ReadInt32( mpImplRuler->nFlags ); @@ -4518,10 +4520,16 @@ PPTTextRulerInterpreter::PPTTextRulerInterpreter( sal_uInt32 nFileOfs, SdrPowerP rIn.ReadUInt16( mpImplRuler->nDefaultTab ); if ( mpImplRuler->nFlags & 4 ) { - rIn.ReadInt16( nTCount ); - if ( nTCount ) + rIn.ReadInt16(nTCount); + + const size_t nMaxPossibleRecords = rIn.remainingSize() / (2*sizeof(sal_uInt16)); + const sal_uInt16 nTabCount(nTCount); + + bRecordOk = nTabCount <= nMaxPossibleRecords; + + if (nTCount && bRecordOk) { - mpImplRuler->nTabCount = (sal_uInt16)nTCount; + mpImplRuler->nTabCount = nTabCount; mpImplRuler->pTab = new PPTTabEntry[ mpImplRuler->nTabCount ]; for ( i = 0; i < nTCount; i++ ) { @@ -4530,23 +4538,27 @@ PPTTextRulerInterpreter::PPTTextRulerInterpreter( sal_uInt32 nFileOfs, SdrPowerP } } } - for ( i = 0; i < 5; i++ ) + + if (bRecordOk) { - if ( mpImplRuler->nFlags & ( 8 << i ) ) - rIn.ReadUInt16( mpImplRuler->nTextOfs[ i ] ); - if ( mpImplRuler->nFlags & ( 256 << i ) ) - rIn.ReadUInt16( mpImplRuler->nBulletOfs[ i ] ); - if( mpImplRuler->nBulletOfs[ i ] > 0x7fff) + for ( i = 0; i < 5; i++ ) { - // workaround - // when bullet offset is > 0x7fff, the paragraph should look like - // * first line text - // second line text - - // we add to bullet para indent 0xffff - bullet offset. it looks like - // best we can do for now - mpImplRuler->nTextOfs[ i ] += 0xffff - mpImplRuler->nBulletOfs[ i ]; - mpImplRuler->nBulletOfs[ i ] = 0; + if ( mpImplRuler->nFlags & ( 8 << i ) ) + rIn.ReadUInt16( mpImplRuler->nTextOfs[ i ] ); + if ( mpImplRuler->nFlags & ( 256 << i ) ) + rIn.ReadUInt16( mpImplRuler->nBulletOfs[ i ] ); + if( mpImplRuler->nBulletOfs[ i ] > 0x7fff) + { + // workaround + // when bullet offset is > 0x7fff, the paragraph should look like + // * first line text + // second line text + + // we add to bullet para indent 0xffff - bullet offset. it looks like + // best we can do for now + mpImplRuler->nTextOfs[ i ] += 0xffff - mpImplRuler->nBulletOfs[ i ]; + mpImplRuler->nBulletOfs[ i ] = 0; + } } } } |