From 7e22869694a7a1dd66d68e262727e64cc4dd6384 Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Wed, 31 Mar 2021 20:14:07 +0100
Subject: cid#1473732 Untrusted loop bound
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

and

cid#1474044 Untrusted loop bound

Change-Id: If30dc454d60adca11fd1a53ecf472555e328bd42
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/113441
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
---
 basic/source/sbx/sbxarray.cxx        | 12 +++++++-----
 sc/source/filter/excel/xltoolbar.cxx | 11 ++++++-----
 2 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/basic/source/sbx/sbxarray.cxx b/basic/source/sbx/sbxarray.cxx
index 4f5a9fd3cfb0..06774acddc00 100644
--- a/basic/source/sbx/sbxarray.cxx
+++ b/basic/source/sbx/sbxarray.cxx
@@ -531,20 +531,22 @@ SbxVariable* SbxDimArray::Get( SbxArray* pPar )
 
 bool SbxDimArray::LoadData( SvStream& rStrm, sal_uInt16 nVer )
 {
-    short nDimension(0);
-    rStrm.ReadInt16( nDimension );
+    short nTmp(0);
+    rStrm.ReadInt16(nTmp);
 
-    if (nDimension > 0)
+    if (nTmp > 0)
     {
+        auto nDimension = o3tl::make_unsigned(nTmp);
+
         const size_t nMinRecordSize = 4;
         const size_t nMaxPossibleRecords = rStrm.remainingSize() / nMinRecordSize;
-        if (o3tl::make_unsigned(nDimension) > nMaxPossibleRecords)
+        if (nDimension > nMaxPossibleRecords)
         {
             SAL_WARN("basic", "SbxDimArray::LoadData more entries claimed than stream could contain");
             return false;
         }
 
-        for (short i = 0; i < nDimension && rStrm.GetError() == ERRCODE_NONE; ++i)
+        for (decltype(nDimension) i = 0; i < nDimension && rStrm.GetError() == ERRCODE_NONE; ++i)
         {
             sal_Int16 lb(0), ub(0);
             rStrm.ReadInt16( lb ).ReadInt16( ub );
diff --git a/sc/source/filter/excel/xltoolbar.cxx b/sc/source/filter/excel/xltoolbar.cxx
index acf6d8339f20..c4178ccafea1 100644
--- a/sc/source/filter/excel/xltoolbar.cxx
+++ b/sc/source/filter/excel/xltoolbar.cxx
@@ -100,19 +100,20 @@ bool ScCTB::Read( SvStream &rS )
     }
     rS.ReadUInt32( ectbid );
 
-    sal_Int16 nIndexes = tb.getcCL();
-
-    if (nIndexes > 0)
+    sal_Int16 nCL = tb.getcCL();
+    if (nCL > 0)
     {
+        auto nIndexes = o3tl::make_unsigned(nCL);
+
         const size_t nMinRecordSize = 11; // ScTBC's TBCHeader reads min 11 bytes
         const size_t nMaxPossibleRecords = rS.remainingSize() / nMinRecordSize;
-        if (o3tl::make_unsigned(nIndexes) > nMaxPossibleRecords)
+        if (nIndexes > nMaxPossibleRecords)
         {
             SAL_WARN("sc.filter", "ScCTB::Read more entries claimed than stream could contain");
             return false;
         }
 
-        for ( sal_Int16 index = 0; index < nIndexes; ++index )
+        for (decltype(nIndexes) index = 0; index < nIndexes; ++index)
         {
             ScTBC aTBC;
             aTBC.Read( rS );
-- 
cgit