[Libreoffice-commits] core.git: Branch 'libreoffice-4-3' - lotuswordpro/source

Thu Jul 3 09:59:36 PDT 2014

lotuswordpro/source/filter/tocread.cxx |   10 ++++++++++
 1 file changed, 10 insertions(+)

New commits:
commit 5ca5b048d74557cb67ae778efd7dcbe95216d6f5
Author: CaolÃ¡n McNamara <caolanm at redhat.com>
Date:   Thu Jul 3 11:17:37 2014 +0100

    coverity#1222240 Untrusted value as argument
    
    and
    
    coverity#1222239 Untrusted value as argument
    
    (cherry picked from commit 5e043613266113a873c55ad45ab0fb1ae14286e8)
    
    Change-Id: I48bacfd988a34d67ffa542edba7cba1bb9b0b3cc
    Reviewed-on: https://gerrit.libreoffice.org/10050
    Reviewed-by: Fridrich Strba <fridrich at documentfoundation.org>
    Tested-by: Fridrich Strba <fridrich at documentfoundation.org>

diff --git a/lotuswordpro/source/filter/tocread.cxx b/lotuswordpro/source/filter/tocread.cxx
index bb14371..71e75b1 100644
--- a/lotuswordpro/source/filter/tocread.cxx
+++ b/lotuswordpro/source/filter/tocread.cxx
@@ -67,6 +67,16 @@ CBenTOCReader::ReadLabelAndTOC()
     if ((Err = ReadLabel(&TOCOffset, &cTOCSize)) != BenErr_OK)
         return Err;
 
+    unsigned long nLength;
+    if ((Err = cpContainer->GetSize(&nLength)) != BenErr_OK)
+        return Err;
+
+    if (TOCOffset > nLength)
+        return BenErr_ReadPastEndOfTOC;
+
+    if (cTOCSize > nLength - TOCOffset)
+        return BenErr_ReadPastEndOfTOC;
+
     if ((Err = cpContainer->SeekToPosition(TOCOffset)) != BenErr_OK)
         return Err;
 
