[Libreoffice-commits] core.git: sc/source
Caolán McNamara (via logerrit)
logerrit at kemper.freedesktop.org
Sat Jun 26 13:17:48 UTC 2021
sc/source/filter/excel/xiescher.cxx | 4 ++--
sc/source/filter/excel/xlformula.cxx | 33 +++++++++++++++++++++++++--------
sc/source/filter/inc/xlformula.hxx | 4 ++--
3 files changed, 29 insertions(+), 12 deletions(-)
New commits:
commit 532946bc3cc9f21605dfe271db292bf4ab9d6f1d
Author: Caolán McNamara <caolanm at redhat.com>
AuthorDate: Fri Jun 25 20:34:00 2021 +0100
Commit: Caolán McNamara <caolanm at redhat.com>
CommitDate: Sat Jun 26 15:17:08 2021 +0200
cid#1474269 Untrusted allocation size
Change-Id: I655c86be306a0300e9ec8404040eeb58d0579cb4
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/117916
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/sc/source/filter/excel/xiescher.cxx b/sc/source/filter/excel/xiescher.cxx
index c928ac37cf29..9b8d33f31d7d 100644
--- a/sc/source/filter/excel/xiescher.cxx
+++ b/sc/source/filter/excel/xiescher.cxx
@@ -2017,9 +2017,9 @@ void XclImpControlHelper::DoProcessControl( ScfPropertySet& ) const
void XclImpControlHelper::ReadRangeList( ScRangeList& rScRanges, XclImpStream& rStrm )
{
XclTokenArray aXclTokArr;
- aXclTokArr.ReadSize( rStrm );
+ sal_uInt16 nSize = XclTokenArray::ReadSize(rStrm);
rStrm.Ignore( 4 );
- aXclTokArr.ReadArray( rStrm );
+ aXclTokArr.ReadArray(nSize, rStrm);
mrRoot.GetFormulaCompiler().CreateRangeList( rScRanges, EXC_FMLATYPE_CONTROL, aXclTokArr, rStrm );
}
diff --git a/sc/source/filter/excel/xlformula.cxx b/sc/source/filter/excel/xlformula.cxx
index 8f176ab72921..1f974f47b38b 100644
--- a/sc/source/filter/excel/xlformula.cxx
+++ b/sc/source/filter/excel/xlformula.cxx
@@ -738,22 +738,39 @@ sal_uInt16 XclTokenArray::GetSize() const
return limit_cast< sal_uInt16 >( maTokVec.size() );
}
-void XclTokenArray::ReadSize( XclImpStream& rStrm )
+sal_uInt16 XclTokenArray::ReadSize(XclImpStream& rStrm)
{
- sal_uInt16 nSize = rStrm.ReaduInt16();
- maTokVec.resize( nSize );
+ return rStrm.ReaduInt16();
}
-void XclTokenArray::ReadArray( XclImpStream& rStrm )
+void XclTokenArray::ReadArray(sal_uInt16 nSize, XclImpStream& rStrm)
{
- if( !maTokVec.empty() )
- rStrm.Read(maTokVec.data(), GetSize());
+ maTokVec.resize(0);
+
+ const std::size_t nMaxBuffer = 4096;
+ std::size_t nBytesLeft = nSize;
+ std::size_t nTotalRead = 0;
+
+ while (true)
+ {
+ if (!nBytesLeft)
+ break;
+ std::size_t nReadRequest = o3tl::sanitizing_min(nBytesLeft, nMaxBuffer);
+ maTokVec.resize(maTokVec.size() + nReadRequest);
+ auto nRead = rStrm.Read(maTokVec.data() + nTotalRead, nReadRequest);
+ nTotalRead += nRead;
+ if (nRead != nReadRequest)
+ {
+ maTokVec.resize(nTotalRead);
+ break;
+ }
+ nBytesLeft -= nRead;
+ }
}
void XclTokenArray::Read( XclImpStream& rStrm )
{
- ReadSize( rStrm );
- ReadArray( rStrm );
+ ReadArray(ReadSize(rStrm), rStrm);
}
void XclTokenArray::WriteSize( XclExpStream& rStrm ) const
diff --git a/sc/source/filter/inc/xlformula.hxx b/sc/source/filter/inc/xlformula.hxx
index fae4ec282a83..43f220bd64c7 100644
--- a/sc/source/filter/inc/xlformula.hxx
+++ b/sc/source/filter/inc/xlformula.hxx
@@ -391,9 +391,9 @@ public:
bool IsVolatile() const { return mbVolatile; }
/** Reads the size field of the token array. */
- void ReadSize( XclImpStream& rStrm );
+ static sal_uInt16 ReadSize(XclImpStream& rStrm);
/** Reads the tokens of the token array (without size field). */
- void ReadArray( XclImpStream& rStrm );
+ void ReadArray(sal_uInt16 nSize, XclImpStream& rStrm);
/** Reads size field and the tokens. */
void Read( XclImpStream& rStrm );
More information about the Libreoffice-commits
mailing list