[Libreoffice-commits] core.git: registry/source
Norbert Thiebaud
nthiebaud at gmail.com
Fri Jul 4 11:33:47 PDT 2014
registry/source/keyimpl.cxx | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
New commits:
commit e18e2b174c6bcf8ed5c5a6d3c88e84f31f2f375a
Author: Norbert Thiebaud <nthiebaud at gmail.com>
Date: Fri Jul 4 20:30:59 2014 +0200
coverity#1213422 Tainted Scalar
Change-Id: I87e845f346fda225127e3439e768b31a8eb93be3
diff --git a/registry/source/keyimpl.cxx b/registry/source/keyimpl.cxx
index 38fa3bb..52c2642 100644
--- a/registry/source/keyimpl.cxx
+++ b/registry/source/keyimpl.cxx
@@ -707,6 +707,15 @@ RegError ORegKey::getLongListValue(const OUString& valueName, sal_Int32** pValue
rtl_freeMemory(pBuffer);
+ /* check for 'reasonable' value */
+ /* surely 10 millions entry in a registry list should be enough */
+ if(valueSize > 40000000)
+ {
+ pValueList = NULL;
+ *pLen = 0;
+ rtl_freeMemory(pBuffer);
+ return REG_INVALID_VALUE;
+ }
pBuffer = (sal_uInt8*)rtl_allocateMemory(valueSize);
if ( rValue.readAt(VALUE_HEADEROFFSET, pBuffer, valueSize, readBytes) )
@@ -727,12 +736,20 @@ RegError ORegKey::getLongListValue(const OUString& valueName, sal_Int32** pValue
sal_uInt32 len = 0;
readUINT32(pBuffer, len);
+ /* make sure the declared size of the arry is consistant with the amount of data we have read */
+ if(len > (valueSize - 4) / 4)
+ {
+ pValueList = NULL;
+ *pLen = 0;
+ rtl_freeMemory(pBuffer);
+ return REG_INVALID_VALUE;
+ }
*pLen = len;
sal_Int32* pVList = (sal_Int32*)rtl_allocateZeroMemory(len * sizeof(sal_Int32));
sal_uInt32 offset = 4; // initial 4 Bytes fuer die Laenge des Arrays;
- for (sal_uInt32 i=0; i < len; i++)
+ for (sal_uInt32 i = 0; i < len; i++)
{
readINT32(pBuffer+offset, pVList[i]);
offset += 4;
More information about the Libreoffice-commits
mailing list