[Libreoffice-commits] core.git: basic/source sc/source

Caolán McNamara (via logerrit) logerrit at kemper.freedesktop.org
Thu Apr 1 09:35:58 UTC 2021 

 basic/source/sbx/sbxarray.cxx        |   12 +++++++-----
 sc/source/filter/excel/xltoolbar.cxx |   11 ++++++-----
 2 files changed, 13 insertions(+), 10 deletions(-)

New commits:
commit 7e22869694a7a1dd66d68e262727e64cc4dd6384
Author:     Caolán McNamara <caolanm at redhat.com>
AuthorDate: Wed Mar 31 20:14:07 2021 +0100
Commit:     Caolán McNamara <caolanm at redhat.com>
CommitDate: Thu Apr 1 11:35:14 2021 +0200

    cid#1473732 Untrusted loop bound
    
    and
    
    cid#1474044 Untrusted loop bound
    
    Change-Id: If30dc454d60adca11fd1a53ecf472555e328bd42
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/113441
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/basic/source/sbx/sbxarray.cxx b/basic/source/sbx/sbxarray.cxx
index 4f5a9fd3cfb0..06774acddc00 100644
--- a/basic/source/sbx/sbxarray.cxx
+++ b/basic/source/sbx/sbxarray.cxx
@@ -531,20 +531,22 @@ SbxVariable* SbxDimArray::Get( SbxArray* pPar )
 
 bool SbxDimArray::LoadData( SvStream& rStrm, sal_uInt16 nVer )
 {
-    short nDimension(0);
-    rStrm.ReadInt16( nDimension );
+    short nTmp(0);
+    rStrm.ReadInt16(nTmp);
 
-    if (nDimension > 0)
+    if (nTmp > 0)
     {
+        auto nDimension = o3tl::make_unsigned(nTmp);
+
         const size_t nMinRecordSize = 4;
         const size_t nMaxPossibleRecords = rStrm.remainingSize() / nMinRecordSize;
-        if (o3tl::make_unsigned(nDimension) > nMaxPossibleRecords)
+        if (nDimension > nMaxPossibleRecords)
         {
             SAL_WARN("basic", "SbxDimArray::LoadData more entries claimed than stream could contain");
             return false;
         }
 
-        for (short i = 0; i < nDimension && rStrm.GetError() == ERRCODE_NONE; ++i)
+        for (decltype(nDimension) i = 0; i < nDimension && rStrm.GetError() == ERRCODE_NONE; ++i)
         {
             sal_Int16 lb(0), ub(0);
             rStrm.ReadInt16( lb ).ReadInt16( ub );
diff --git a/sc/source/filter/excel/xltoolbar.cxx b/sc/source/filter/excel/xltoolbar.cxx
index acf6d8339f20..c4178ccafea1 100644
--- a/sc/source/filter/excel/xltoolbar.cxx
+++ b/sc/source/filter/excel/xltoolbar.cxx
@@ -100,19 +100,20 @@ bool ScCTB::Read( SvStream &rS )
     }
     rS.ReadUInt32( ectbid );
 
-    sal_Int16 nIndexes = tb.getcCL();
-
-    if (nIndexes > 0)
+    sal_Int16 nCL = tb.getcCL();
+    if (nCL > 0)
     {
+        auto nIndexes = o3tl::make_unsigned(nCL);
+
         const size_t nMinRecordSize = 11; // ScTBC's TBCHeader reads min 11 bytes
         const size_t nMaxPossibleRecords = rS.remainingSize() / nMinRecordSize;
-        if (o3tl::make_unsigned(nIndexes) > nMaxPossibleRecords)
+        if (nIndexes > nMaxPossibleRecords)
         {
             SAL_WARN("sc.filter", "ScCTB::Read more entries claimed than stream could contain");
             return false;
         }
 
-        for ( sal_Int16 index = 0; index < nIndexes; ++index )
+        for (decltype(nIndexes) index = 0; index < nIndexes; ++index)
         {
             ScTBC aTBC;
             aTBC.Read( rS );

More information about the Libreoffice-commits mailing list