diff options
author | Caolán McNamara <caolanm@redhat.com> | 2014-10-20 09:59:28 +0100 |
---|---|---|
committer | Michael Stahl <mstahl@redhat.com> | 2014-10-23 12:21:38 +0000 |
commit | 22590777ac1fbb1b6dadedae166a59ed3c34dc5b (patch) | |
tree | 0e1c08728e9019debdd29a2e318d641d4ec3f8e3 /sw | |
parent | ce566d4a49b40d00ece92c53fb6e96d3c928ae0b (diff) |
various untrusted loop bounds
coverity#1242704 Untrusted loop bound
Change-Id: Ib2e00c0cd269dc7ae55b206713fe07e5326072f2
(cherry picked from commit d615d83381a0830a815fe2879ce761f1b00b04e9)
coverity#1242606 Untrusted loop bound
Change-Id: Iafa03d4dd65eb343a80996880bc1ed846d1b7491
(cherry picked from commit 1361dfc0aa835dcb134d5de4bac594519aa16efe)
coverity#1242582 Untrusted loop bound
Change-Id: I72d2c4979b62a025d212ce5ee3b7141c40376fa7
(cherry picked from commit 6118c11a0c5122169979547e8c27136cf58a54a7)
coverity#1242778 Untrusted value as argument
Change-Id: I34d5a5e7c5f0eef51d941c65ab73d5421d5a36cb
(cherry picked from commit be31503ef86d2ad3291ced8fddb9c4da4d324c46)
coverity#1242724 Untrusted value as argument
Change-Id: I6041d09ef0a4ed4af5f1bf93f31a1eac60be1af7
(cherry picked from commit bbe264a19fb82f50d859fc72a47312db0527640f)
coverity#1242717 Untrusted loop bound
Change-Id: I983bba075ab9626c90555fa41f9d473ae60fafea
(cherry picked from commit cf63ebe0f005513c1e989682459bcd0688eb190b)
coverity#1242624 Untrusted loop bound
Change-Id: If2ae1982eec100f5602a13d648beec247ced6aa2
(cherry picked from commit 711e74544d70b108e9bc70772b31f386dbf1c2a4)
coverity#1222238 Untrusted loop bound
Change-Id: I1a4dec8727d0a27f7fd0396fd22d955f61daaee4
(cherry picked from commit 5a89092d5fe43638832ea8f86df34f81869337d9)
coverity#1242573 Untrusted loop bound
Change-Id: Id2847c55ccab7272919e76542bc0e0570bc9af12
(cherry picked from commit 5e2d089f763963e6ce7d3d183bd1bf7932aeaaaf)
coverity#1242573 Untrusted loop bound
(cherry picked from commit 11a514e06bf38c70f2364c8535782aa3f33d6206)
Conflicts:
vcl/source/filter/wmf/winwmf.cxx
Change-Id: Ic84e57fbfa2b532409865c4364b91be594d252cf
pass sfntLen to DumpSfnts etc so sfntP reads can be checked
Change-Id: I5d8092eceb31ba251e75fe2c51b87890b8adcbf2
(cherry picked from commit b4a0104849eeecb7779fda41116c92c362759882)
coverity#1242908 Untrusted value as argument
Change-Id: If9dd92c361d406c435329d29870dc8bb07a8ba7b
(cherry picked from commit d0be09322d127e7d517851db38c764d57fbab2dc)
Reviewed-on: https://gerrit.libreoffice.org/12067
Reviewed-by: Michael Stahl <mstahl@redhat.com>
Tested-by: Michael Stahl <mstahl@redhat.com>
Diffstat (limited to 'sw')
-rw-r--r-- | sw/source/filter/ww8/ww8par.cxx | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/sw/source/filter/ww8/ww8par.cxx b/sw/source/filter/ww8/ww8par.cxx index 72b24bd51ee2..0bf426592028 100644 --- a/sw/source/filter/ww8/ww8par.cxx +++ b/sw/source/filter/ww8/ww8par.cxx @@ -1039,19 +1039,26 @@ SdrObject* SwMSDffManager::ProcessObj(SvStream& rSt, delete pImpRec->pWrapPolygon; pImpRec->pWrapPolygon = NULL; - sal_uInt16 nNumElemVert, nNumElemMemVert, nElemSizeVert; + sal_uInt16 nNumElemVert(0), nNumElemMemVert(0), nElemSizeVert(0); rSt.ReadUInt16( nNumElemVert ).ReadUInt16( nNumElemMemVert ).ReadUInt16( nElemSizeVert ); + bool bOk = false; if (nNumElemVert && ((nElemSizeVert == 8) || (nElemSizeVert == 4))) { + //check if there is enough data in the file to make the + //record sane + bOk = rSt.remainingSize() / nElemSizeVert >= nNumElemVert; + } + if (bOk) + { pImpRec->pWrapPolygon = new Polygon(nNumElemVert); for (sal_uInt16 i = 0; i < nNumElemVert; ++i) { - sal_Int32 nX, nY; + sal_Int32 nX(0), nY(0); if (nElemSizeVert == 8) rSt.ReadInt32( nX ).ReadInt32( nY ); else { - sal_Int16 nSmallX, nSmallY; + sal_Int16 nSmallX(0), nSmallY(0); rSt.ReadInt16( nSmallX ).ReadInt16( nSmallY ); nX = nSmallX; nY = nSmallY; |