filter/source/msfilter/dffpropset.cxx | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-)
New commits: commit a657260c419a7138971aeb0151c81dcb23df3748 Author: Caolán McNamara <caol...@redhat.com> AuthorDate: Wed Jul 24 10:34:01 2019 +0100 Commit: Caolán McNamara <caol...@redhat.com> CommitDate: Wed Jul 24 17:04:04 2019 +0200 cid#1448519 Untrusted loop bound Change-Id: I92952fdef3e1066082d7ba8c3befebfcb7f9adc1 Reviewed-on: https://gerrit.libreoffice.org/76242 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caol...@redhat.com> Tested-by: Caolán McNamara <caol...@redhat.com> diff --git a/filter/source/msfilter/dffpropset.cxx b/filter/source/msfilter/dffpropset.cxx index 73c0e45d64db..5b0b1194ae06 100644 --- a/filter/source/msfilter/dffpropset.cxx +++ b/filter/source/msfilter/dffpropset.cxx @@ -20,6 +20,7 @@ #include <algorithm> #include <filter/msfilter/dffpropset.hxx> #include <filter/msfilter/dffrecordheader.hxx> +#include <sal/log.hxx> #include <svx/msdffdef.hxx> #include <rtl/ustrbuf.hxx> #include <tools/stream.hxx> @@ -1109,14 +1110,22 @@ void DffPropSet::ReadPropSet( SvStream& rIn, bool bSetUninitializedOnly ) sal_uInt32 nComplexDataFilePos = rIn.Tell() + ( nPropCount * 6 ); - for( sal_uInt32 nPropNum = 0; nPropNum < nPropCount; nPropNum++ ) + const size_t nMaxPossibleRecords = rIn.remainingSize() / (sizeof(sal_uInt16) + sizeof(sal_uInt32)); + if (nPropCount > nMaxPossibleRecords) { - sal_uInt16 nTmp; - sal_uInt32 nRecType, nContent; + SAL_WARN("filter.ms", "Parsing error: " << nMaxPossibleRecords << + " max possible entries, but " << nPropCount << " claimed, truncating"); + nPropCount = nMaxPossibleRecords; + } + + for (sal_uInt32 nPropNum = 0; nPropNum < nPropCount; ++nPropNum) + { + sal_uInt16 nTmp(0); + sal_uInt32 nContent(0); rIn.ReadUInt16( nTmp ) .ReadUInt32( nContent ); - nRecType = nTmp & 0x3fff; + sal_uInt32 nRecType = nTmp & 0x3fff; if ( nRecType > 0x3ff ) break; _______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits