diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2015-01-25 21:17:35 +0000 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2015-01-25 21:17:35 +0000 |
| commit | 475461a6b5f26fe7f586ff122e2fa71316e316ef (patch) | |
| tree | e159a1b38c75a2bbee7c37d3aea0ac34e79f4c71 /filter | |
| parent | coverity#1266492 Untrusted value as argument (diff) | |
| download | core-475461a6b5f26fe7f586ff122e2fa71316e316ef.tar.gz core-475461a6b5f26fe7f586ff122e2fa71316e316ef.zip | |
coverity#1266494 Untrusted value as argument
Change-Id: I220e582cd75199b5619c2ad7607392b078ab3956
Diffstat (limited to 'filter')
| -rw-r--r-- | filter/source/msfilter/svdfppt.cxx | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/filter/source/msfilter/svdfppt.cxx b/filter/source/msfilter/svdfppt.cxx index ba898c03e80a..ab1731d3f389 100644 --- a/filter/source/msfilter/svdfppt.cxx +++ b/filter/source/msfilter/svdfppt.cxx @@ -1201,7 +1201,15 @@ SdrObject* SdrEscherImport::ProcessObj( SvStream& rSt, DffObjData& rObjData, voi { sal_Int16 i, nRowCount = 0; rSt.ReadInt16( nRowCount ).ReadInt16( i ).ReadInt16( i ); - if ( nRowCount ) + const size_t nMinRecordSize = 4; + const size_t nMaxRecords = rSt.remainingSize() / nMinRecordSize; + if (nRowCount > 0 && static_cast<size_t>(nRowCount) > nMaxRecords) + { + SAL_WARN("filter.ms", "Parsing error: " << nMaxRecords << + " max possible entries, but " << nRowCount << " claimed, truncating"); + nRowCount = nMaxRecords; + } + if (nRowCount > 0) { sal_uInt32* pTableArry = new sal_uInt32[ nRowCount + 2 ]; pTableArry[ 0 ] = nTableProperties; |