From de26ef857bf3b39a02192289a374605ca9491721 Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Sun, 23 Aug 2015 12:52:52 +0100
Subject: coverity#1242865 Untrusted loop bound

Change-Id: I9c6f821f7bd1e9bd3eb8f47e269e62a792523f1a
---
 basic/source/classes/image.cxx | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/basic/source/classes/image.cxx b/basic/source/classes/image.cxx
index ef468dc2e5a1..703dbd41b7e1 100644
--- a/basic/source/classes/image.cxx
+++ b/basic/source/classes/image.cxx
@@ -241,6 +241,17 @@ bool SbiImage::Load( SvStream& r, sal_uInt32& nVersion )
                 break;
             }
             case B_SBXOBJECTS:
+            {
+                //assuming an empty string with just the lead 32bit/16bit len indicator
+                const size_t nMinStringSize = (eCharSet == RTL_TEXTENCODING_UNICODE) ? 4 : 2;
+                const size_t nMinRecordSize = nMinStringSize + sizeof(sal_Int16);
+                const size_t nMaxRecords = r.remainingSize() / nMinRecordSize;
+                if (nCount > nMinRecordSize)
+                {
+                    SAL_WARN("basic", "Parsing error: " << nMaxRecords <<
+                             " max possible entries, but " << nCount << " claimed, truncating");
+                    nCount = nMaxRecords;
+                }
 
                 // User defined types
                 for (sal_uInt16 i = 0; i < nCount; i++)
@@ -319,9 +330,8 @@ bool SbiImage::Load( SvStream& r, sal_uInt32& nVersion )
 
                     AddType(pType);
                 }
-
                 break;
-
+            }
             case B_MODEND:
                 goto done;
             default:
-- 
cgit v1.2.3