From f0c2e0d27ccdeaefb00b63e7462e1c25e18f73af Mon Sep 17 00:00:00 2001 From: Caolán McNamara Date: Wed, 29 Jan 2020 17:17:24 +0000 Subject: cid#1458020 Untrusted loop bound MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit cid#1458018 Untrusted loop bound cid#1242844 Untrusted loop bound Change-Id: I9062240290708f4b51b0ce42a30897b50d1a2677 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/87702 Tested-by: Jenkins Reviewed-by: Caolán McNamara --- filter/source/msfilter/mstoolbar.cxx | 5 +++-- filter/source/msfilter/svdfppt.cxx | 39 ++++++++++++++++++++---------------- 2 files changed, 25 insertions(+), 19 deletions(-) (limited to 'filter') diff --git a/filter/source/msfilter/mstoolbar.cxx b/filter/source/msfilter/mstoolbar.cxx index f44cd2bbb3ca..e32181019602 100644 --- a/filter/source/msfilter/mstoolbar.cxx +++ b/filter/source/msfilter/mstoolbar.cxx @@ -676,10 +676,11 @@ bool TBCCDData::Read( SvStream &rS) rS.ReadInt16( cwstrItems ); if (cwstrItems > 0) { + auto nItems = o3tl::make_unsigned(cwstrItems); //each WString is at least one byte - if (rS.remainingSize() < o3tl::make_unsigned(cwstrItems)) + if (rS.remainingSize() < nItems) return false; - for( sal_Int32 index=0; index < cwstrItems; ++index ) + for (decltype(nItems) index = 0; index < nItems; ++index) { WString aString; if ( !aString.Read( rS ) ) diff --git a/filter/source/msfilter/svdfppt.cxx b/filter/source/msfilter/svdfppt.cxx index 1cae88f4870f..a1c57622f865 100644 --- a/filter/source/msfilter/svdfppt.cxx +++ b/filter/source/msfilter/svdfppt.cxx @@ -1213,24 +1213,29 @@ SdrObject* SdrEscherImport::ProcessObj( SvStream& rSt, DffObjData& rObjData, Svx { if ( aSecPropSet.SeekToContent( DFF_Prop_tableRowProperties, rSt ) ) { - sal_Int16 i, nRowCount = 0; - rSt.ReadInt16( nRowCount ).ReadInt16( i ).ReadInt16( i ); - const size_t nMinRecordSize = 4; - const size_t nMaxRecords = rSt.remainingSize() / nMinRecordSize; - if (nRowCount > 0 && o3tl::make_unsigned(nRowCount) > nMaxRecords) + sal_Int16 i, nReadRowCount = 0; + rSt.ReadInt16( nReadRowCount ).ReadInt16( i ).ReadInt16( i ); + if (nReadRowCount > 0) { - SAL_WARN("filter.ms", "Parsing error: " << nMaxRecords << - " max possible entries, but " << nRowCount << " claimed, truncating"); - nRowCount = nMaxRecords; - } - if (nRowCount > 0) - { - std::unique_ptr pTableArry(new sal_uInt32[ nRowCount + 2 ]); - pTableArry[ 0 ] = nTableProperties; - pTableArry[ 1 ] = nRowCount; - for ( i = 0; i < nRowCount; i++ ) - rSt.ReadUInt32( pTableArry[ i + 2 ] ); - rData.pTableRowProperties = std::move(pTableArry); + const size_t nMinRecordSize = 4; + const size_t nMaxRecords = rSt.remainingSize() / nMinRecordSize; + + auto nRowCount = o3tl::make_unsigned(nReadRowCount); + if (nRowCount > nMaxRecords) + { + SAL_WARN("filter.ms", "Parsing error: " << nMaxRecords << + " max possible entries, but " << nRowCount << " claimed, truncating"); + nRowCount = nMaxRecords; + } + if (nRowCount > 0) + { + std::unique_ptr pTableArry(new sal_uInt32[ nRowCount + 2 ]); + pTableArry[ 0 ] = nTableProperties; + pTableArry[ 1 ] = nRowCount; + for (decltype(nRowCount) nRow = 0; nRow < nRowCount; ++nRow) + rSt.ReadUInt32(pTableArry[nRow + 2]); + rData.pTableRowProperties = std::move(pTableArry); + } } } } -- cgit v1.2.3