[Libreoffice-commits] core.git: filter/source

Caolán McNamara (via logerrit) logerrit at kemper.freedesktop.org
Wed Jul 24 15:05:16 UTC 2019 

 filter/source/msfilter/dffpropset.cxx |   17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

New commits:
commit a657260c419a7138971aeb0151c81dcb23df3748
Author:     Caolán McNamara <caolanm at redhat.com>
AuthorDate: Wed Jul 24 10:34:01 2019 +0100
Commit:     Caolán McNamara <caolanm at redhat.com>
CommitDate: Wed Jul 24 17:04:04 2019 +0200

    cid#1448519 Untrusted loop bound
    
    Change-Id: I92952fdef3e1066082d7ba8c3befebfcb7f9adc1
    Reviewed-on: https://gerrit.libreoffice.org/76242
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/filter/source/msfilter/dffpropset.cxx b/filter/source/msfilter/dffpropset.cxx
index 73c0e45d64db..5b0b1194ae06 100644
--- a/filter/source/msfilter/dffpropset.cxx
+++ b/filter/source/msfilter/dffpropset.cxx
@@ -20,6 +20,7 @@
 #include <algorithm>
 #include <filter/msfilter/dffpropset.hxx>
 #include <filter/msfilter/dffrecordheader.hxx>
+#include <sal/log.hxx>
 #include <svx/msdffdef.hxx>
 #include <rtl/ustrbuf.hxx>
 #include <tools/stream.hxx>
@@ -1109,14 +1110,22 @@ void DffPropSet::ReadPropSet( SvStream& rIn, bool bSetUninitializedOnly )
 
     sal_uInt32 nComplexDataFilePos = rIn.Tell() + ( nPropCount * 6 );
 
-    for( sal_uInt32 nPropNum = 0; nPropNum < nPropCount; nPropNum++ )
+    const size_t nMaxPossibleRecords = rIn.remainingSize() / (sizeof(sal_uInt16) + sizeof(sal_uInt32));
+    if (nPropCount > nMaxPossibleRecords)
     {
-        sal_uInt16 nTmp;
-        sal_uInt32 nRecType, nContent;
+        SAL_WARN("filter.ms", "Parsing error: " << nMaxPossibleRecords <<
+                 " max possible entries, but " << nPropCount << " claimed, truncating");
+        nPropCount = nMaxPossibleRecords;
+    }
+
+    for (sal_uInt32 nPropNum = 0; nPropNum < nPropCount; ++nPropNum)
+    {
+        sal_uInt16 nTmp(0);
+        sal_uInt32 nContent(0);
         rIn.ReadUInt16( nTmp )
            .ReadUInt32( nContent );
 
-        nRecType = nTmp & 0x3fff;
+        sal_uInt32 nRecType = nTmp & 0x3fff;
 
         if ( nRecType > 0x3ff )
             break;

More information about the Libreoffice-commits mailing list