diff options
author | Caolán McNamara <caolanm@redhat.com> | 2015-02-02 10:05:04 +0000 |
---|---|---|
committer | Caolán McNamara <caolanm@redhat.com> | 2015-02-02 10:57:19 +0000 |
commit | dcad3ac445980740b6a39761cdd1f1bd0b3e6e34 (patch) | |
tree | 6b4c1e82fcd5a4e641bdb0f6bfb27430f7cbcb9b | |
parent | coverity#1242531 Untrusted value as argument (diff) | |
download | core-dcad3ac445980740b6a39761cdd1f1bd0b3e6e34.tar.gz core-dcad3ac445980740b6a39761cdd1f1bd0b3e6e34.zip |
coverity#1242624 Untrusted loop bound
Change-Id: Idf52c09828c2bab767e9ff0d07b61befd6bfc64b
-rw-r--r-- | filter/source/msfilter/msdffimp.cxx | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/filter/source/msfilter/msdffimp.cxx b/filter/source/msfilter/msdffimp.cxx index 77b6b8095aed..656c93fe6243 100644 --- a/filter/source/msfilter/msdffimp.cxx +++ b/filter/source/msfilter/msdffimp.cxx @@ -2153,13 +2153,19 @@ void DffPropertyReader::ApplyCustomShapeGeometryAttributes( SvStream& rIn, SfxIt sal_uInt16 nNumElemMemVert = 0; rIn.ReadUInt16( nNumElemVert ).ReadUInt16( nNumElemMemVert ).ReadUInt16( nElemSizeVert ); } - if ( nNumElemVert ) + bool bImport = false; + if (nElemSizeVert == 8 || nElemSizeVert == 4) + { + //sanity check that the stream is long enough to fulfill nNumElem * nElemSize; + bImport = rIn.remainingSize() / nElemSizeVert >= nNumElemVert; + } + if (bImport) { - sal_Int32 nX, nY; - sal_Int16 nTmpA, nTmpB; aCoordinates.realloc( nNumElemVert ); - for ( sal_uInt16 i = 0; i < nNumElemVert; i++ ) + for (sal_uInt16 i = 0; i < nNumElemVert; ++i) { + sal_Int32 nX(0), nY(0); + if ( nElemSizeVert == 8 ) { rIn.ReadInt32( nX ) @@ -2167,6 +2173,7 @@ void DffPropertyReader::ApplyCustomShapeGeometryAttributes( SvStream& rIn, SfxIt } else { + sal_Int16 nTmpA(0), nTmpB(0); rIn.ReadInt16( nTmpA ) .ReadInt16( nTmpB ); |