lotuswordpro/source/filter/lwpdrawobj.cxx | 33 +++++++++++++++++++------ lotuswordpro/source/filter/lwptools.hxx | 6 ++++ sc/source/ui/condformat/colorformat.cxx | 4 +-- sc/source/ui/condformat/condformatdlgentry.cxx | 2 - sc/source/ui/miscdlgs/datafdlg.cxx | 5 +-- 5 files changed, 37 insertions(+), 13 deletions(-)
New commits: commit ac68cab1f1e6991bc95fe482f4d9be1538b827c4 Author: Caolán McNamara <[email protected]> Date: Tue Oct 14 15:21:27 2014 +0100 coverity#1242739 Untrusted loop bound and coverity#1242739 Untrusted loop bound Change-Id: I2cab9b3c531befc42c1522dd0d4beb59df7ae315 diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx b/lotuswordpro/source/filter/lwpdrawobj.cxx index 4ae6279..2ca16ad 100644 --- a/lotuswordpro/source/filter/lwpdrawobj.cxx +++ b/lotuswordpro/source/filter/lwpdrawobj.cxx @@ -1209,10 +1209,14 @@ void LwpDrawTextArt::Read() sal_uInt16 nPointNumber; sal_Int16 nX, nY; m_pStream->ReadUInt16( nPointNumber ); + + size_t nPoints = nPointNumber*3+1; + if (nPoints > m_pStream->remainingSize() / 4) + throw BadRead(); + m_aTextArtRec.aPath[0].n = nPointNumber; - m_aTextArtRec.aPath[0].pPts = new SdwPoint [nPointNumber*3+1]; - sal_uInt16 nPt = 0; - for ( nPt = 0; nPt <= nPointNumber*3; nPt++) + m_aTextArtRec.aPath[0].pPts = new SdwPoint[nPoints]; + for (size_t nPt = 0; nPt < nPoints; ++nPt) { m_pStream->ReadInt16( nX ); m_pStream->ReadInt16( nY ); @@ -1221,9 +1225,14 @@ void LwpDrawTextArt::Read() } m_pStream->ReadUInt16( nPointNumber ); + + nPoints = nPointNumber*3+1; + if (nPoints > m_pStream->remainingSize() / 4) + throw BadRead(); + m_aTextArtRec.aPath[1].n = nPointNumber; - m_aTextArtRec.aPath[1].pPts = new SdwPoint [nPointNumber*3+1]; - for (nPt = 0; nPt <= nPointNumber*3; nPt++) + m_aTextArtRec.aPath[1].pPts = new SdwPoint[nPoints]; + for (size_t nPt = 0; nPt < nPoints; ++nPt) { m_pStream->ReadInt16( nX ); m_pStream->ReadInt16( nY ); @@ -1251,6 +1260,10 @@ void LwpDrawTextArt::Read() - (m_aTextArtRec.aPath[0].n*3 + 1)*4 - (m_aTextArtRec.aPath[1].n*3 + 1)*4; + + if (m_aTextArtRec.nTextLen > m_pStream->remainingSize()) + throw BadRead(); + m_aTextArtRec.pTextString = new sal_uInt8 [m_aTextArtRec.nTextLen]; m_pStream->Read(m_aTextArtRec.pTextString, m_aTextArtRec.nTextLen); m_aTextArtRec.pTextString[m_aTextArtRec.nTextLen-1] = 0; commit da859a7949238e74e5287f1bacc61886b4294858 Author: Caolán McNamara <[email protected]> Date: Tue Oct 14 15:13:01 2014 +0100 coverity#1242791 Untrusted loop bound Change-Id: Iba6d6b77fe30e11f50e16c1ee899b71ea4337355 diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx b/lotuswordpro/source/filter/lwpdrawobj.cxx index f357f9d..4ae6279 100644 --- a/lotuswordpro/source/filter/lwpdrawobj.cxx +++ b/lotuswordpro/source/filter/lwpdrawobj.cxx @@ -591,7 +591,10 @@ void LwpDrawPolygon::Read() this->ReadClosedObjStyle(); m_pStream->ReadUInt16( m_nNumPoints ); - m_pVector = new SdwPoint [m_nNumPoints]; + if (m_nNumPoints > m_pStream->remainingSize() / 4) + throw BadRead(); + + m_pVector = new SdwPoint[m_nNumPoints]; for (sal_uInt16 nC = 0; nC < m_nNumPoints; nC++) { commit e4ebd97a9b5dc3a25a142109d2a0dbe41925e431 Author: Caolán McNamara <[email protected]> Date: Tue Oct 14 15:12:05 2014 +0100 coverity#1242918 Untrusted loop bound Change-Id: I8575a43a095165a81417f169463aaf2c4ab337e8 diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx b/lotuswordpro/source/filter/lwpdrawobj.cxx index 4be146f..f357f9d 100644 --- a/lotuswordpro/source/filter/lwpdrawobj.cxx +++ b/lotuswordpro/source/filter/lwpdrawobj.cxx @@ -505,7 +505,10 @@ void LwpDrawPolyLine::Read() m_pStream->ReadUChar( m_aPolyLineRec.aPenColor.unused ); m_pStream->ReadUInt16( m_aPolyLineRec.nNumPoints ); - m_pVector= new SdwPoint [m_aPolyLineRec.nNumPoints]; + if (m_aPolyLineRec.nNumPoints > m_pStream->remainingSize() / 4) + throw BadRead(); + + m_pVector= new SdwPoint[m_aPolyLineRec.nNumPoints]; for (sal_uInt16 nC = 0; nC < m_aPolyLineRec.nNumPoints; nC++) { diff --git a/lotuswordpro/source/filter/lwptools.hxx b/lotuswordpro/source/filter/lwptools.hxx index 51680bd..f240214 100644 --- a/lotuswordpro/source/filter/lwptools.hxx +++ b/lotuswordpro/source/filter/lwptools.hxx @@ -148,6 +148,12 @@ public: BadSeek() : std::runtime_error("Lotus Word Pro Bad Seek") { } }; +class BadRead: public std::runtime_error +{ +public: + BadRead() : std::runtime_error("Lotus Word Pro Bad Read") { } +}; + class BadDecompress : public std::runtime_error { public: commit 902a3df2daa196e2182b0741f0ec3849d158f42b Author: Caolán McNamara <[email protected]> Date: Tue Oct 14 13:46:46 2014 +0100 coverity#735315 Unchecked return value Change-Id: If2e8d3cfe49a039cc27035ae9c0f037c2d60b122 diff --git a/sc/source/ui/condformat/colorformat.cxx b/sc/source/ui/condformat/colorformat.cxx index 4590ea3..28815b1 100644 --- a/sc/source/ui/condformat/colorformat.cxx +++ b/sc/source/ui/condformat/colorformat.cxx @@ -208,10 +208,10 @@ IMPL_LINK_NOARG( ScDataBarSettingsDlg, OkBtnHdl ) OUString aMaxString = mpEdMax->GetText(); double nMinValue = 0; sal_uInt32 nIndex = 0; - mpNumberFormatter->IsNumberFormat(aMinString, nIndex, nMinValue); + (void)mpNumberFormatter->IsNumberFormat(aMinString, nIndex, nMinValue); nIndex = 0; double nMaxValue = 0; - mpNumberFormatter->IsNumberFormat(aMaxString, nIndex, nMaxValue); + (void)mpNumberFormatter->IsNumberFormat(aMaxString, nIndex, nMaxValue); if(rtl::math::approxEqual(nMinValue, nMaxValue) || nMinValue > nMaxValue) bWarn = true; } commit 713524780312315e63f53deac96eaeef8c4e0e13 Author: Caolán McNamara <[email protected]> Date: Tue Oct 14 13:45:50 2014 +0100 coverity#982180 Unchecked return value Change-Id: Ida858f633f1e9afcc1a5a06f503f0ab06d2d3e74 diff --git a/sc/source/ui/condformat/condformatdlgentry.cxx b/sc/source/ui/condformat/condformatdlgentry.cxx index 52ec400..b45f23c 100644 --- a/sc/source/ui/condformat/condformatdlgentry.cxx +++ b/sc/source/ui/condformat/condformatdlgentry.cxx @@ -1388,7 +1388,7 @@ ScColorScaleEntry* ScIconSetFrmtDataEntry::CreateEntry(ScDocument* pDoc, const S sal_uInt32 nIndex = 0; double nVal = 0; SvNumberFormatter* pNumberFormatter = pDoc->GetFormatTable(); - pNumberFormatter->IsNumberFormat(aText, nIndex, nVal); + (void)pNumberFormatter->IsNumberFormat(aText, nIndex, nVal); pEntry->SetValue(nVal); switch(nPos) commit 89b256f431c09097dd7bf3d163430ec54a7d9260 Author: Caolán McNamara <[email protected]> Date: Tue Oct 14 13:43:43 2014 +0100 coverity#1242430 Dereference after null check Change-Id: If1c59d6d06a9e4601731f13a69b1ac2603c0014b diff --git a/sc/source/ui/miscdlgs/datafdlg.cxx b/sc/source/ui/miscdlgs/datafdlg.cxx index 8a5f232..0d3f58d 100644 --- a/sc/source/ui/miscdlgs/datafdlg.cxx +++ b/sc/source/ui/miscdlgs/datafdlg.cxx @@ -209,14 +209,13 @@ ScDataFormDlg::~ScDataFormDlg() void ScDataFormDlg::FillCtrls(SCROW /*nCurrentRow*/) { - OUString aFieldName; for (sal_uInt16 i = 0; i < aColLength; ++i) { if (!maEdits.is_null(i)) { - if (nCurrentRow<=nEndRow) + if (nCurrentRow<=nEndRow && pDoc) { - aFieldName = pDoc->GetString(i + nStartCol, nCurrentRow, nTab); + OUString aFieldName(pDoc->GetString(i + nStartCol, nCurrentRow, nTab)); maEdits[i].SetText(aFieldName); } else
_______________________________________________ Libreoffice-commits mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
