coverity#1362681 Untrusted loop bound

and coverity#1362682 Untrusted loop bound Change-Id: I97eacad09abed4f91744b36f572761e43a3477fb
author: Caolán McNamara <caolanm@redhat.com> 2016-06-11 20:53:18 +0100
committer: Caolán McNamara <caolanm@redhat.com> 2016-06-11 21:00:55 +0100
commit: 08c9c0a3ae3a34609f31da5c229dfaedacdd27d6 (patch)
tree: 3308ee17a045bb522c3bf25b38948b3e10905220 /lotuswordpro
parent: 51a09942d9f9b0d8ef9c24bff2ee1dc270e43d5e (diff)
1 files changed, 17 insertions, 5 deletions
diff --git a/lotuswordpro/source/filter/lwpsdwgrouploaderv0102.cxx b/lotuswordpro/source/filter/lwpsdwgrouploaderv0102.cxx
index 51c8dec34ab2..39d1b3fa501d 100644
--- a/lotuswordpro/source/filter/lwpsdwgrouploaderv0102.cxx
+++ b/lotuswordpro/source/filter/lwpsdwgrouploaderv0102.cxx
@@ -115,12 +115,12 @@ void LwpSdwGroupLoaderV0102::BeginDrawObjects(std::vector< rtl::Reference<XFFram
     // topObj, botObj
     m_pStream->SeekRel(4);
     //record count
-    unsigned short nRecCount;
+    unsigned short nRecCount(0);
     m_pStream->ReadUInt16(nRecCount);
     // selCount
     m_pStream->SeekRel(2);
     //boundrect
-    unsigned short left,top,right,bottom;
+    unsigned short left(0),top(0),right(0),bottom(0);
     m_pStream->ReadUInt16(left);
     m_pStream->ReadUInt16(top);
     m_pStream->ReadUInt16(right);
@@ -222,6 +222,12 @@ void LwpSdwGroupLoaderV0102::BeginDrawObjects(std::vector< rtl::Reference<XFFram
         }
     }
 
+    if (nRecCount > m_pStream->remainingSize())
+    {
+        SAL_WARN("lwp", "stream too short for claimed no of records");
+        nRecCount = m_pStream->remainingSize();
+    }
+
     //load draw object
     for (unsigned short i = 0; i < nRecCount; i++)
     {
@@ -260,12 +266,12 @@ XFDrawGroup* LwpSdwGroupLoaderV0102::CreateDrawGroupObject()
     // topObj, botObj
     m_pStream->SeekRel(4);
     //record count
-    unsigned short nRecCount;
+    unsigned short nRecCount(0);
     m_pStream->ReadUInt16(nRecCount);
     // selCount
     m_pStream->SeekRel(2);
     //boundrect
-    unsigned short left,top,right,bottom;
+    unsigned short left(0),top(0),right(0),bottom(0);
     m_pStream->ReadUInt16(left);
     m_pStream->ReadUInt16(top);
     m_pStream->ReadUInt16(right);
@@ -275,6 +281,12 @@ XFDrawGroup* LwpSdwGroupLoaderV0102::CreateDrawGroupObject()
 
     XFDrawGroup* pXFDrawGroup = new XFDrawGroup();
 
+    if (nRecCount > m_pStream->remainingSize())
+    {
+        SAL_WARN("lwp", "stream too short for claimed no of records");
+        nRecCount = m_pStream->remainingSize();
+    }
+
     //load draw object
     for (unsigned short i = 0; i < nRecCount; i++)
     {
@@ -303,7 +315,7 @@ XFDrawGroup* LwpSdwGroupLoaderV0102::CreateDrawGroupObject()
 XFFrame* LwpSdwGroupLoaderV0102::CreateDrawObject()
 {
     //record type
-    unsigned char recType;
+    unsigned char recType(0);
     m_pStream->ReadUChar(recType);
 
     LwpDrawObj* pDrawObj = nullptr;
author	Caolán McNamara <caolanm@redhat.com>	2016-06-11 20:53:18 +0100
committer	Caolán McNamara <caolanm@redhat.com>	2016-06-11 21:00:55 +0100
commit	08c9c0a3ae3a34609f31da5c229dfaedacdd27d6 (patch)
tree	3308ee17a045bb522c3bf25b38948b3e10905220 /lotuswordpro
parent	51a09942d9f9b0d8ef9c24bff2ee1dc270e43d5e (diff)