[Libreoffice-commits] core.git: sc/source
Caolán McNamara (via logerrit)
logerrit at kemper.freedesktop.org
Sun Mar 28 16:09:07 UTC 2021
sc/source/core/tool/autoform.cxx | 10 ++++++++++
1 file changed, 10 insertions(+)
New commits:
commit 8e82d5c56b67fbc7902583d14898f271888a4ac1
Author: Caolán McNamara <caolanm at redhat.com>
AuthorDate: Sat Mar 27 21:01:38 2021 +0000
Commit: Caolán McNamara <caolanm at redhat.com>
CommitDate: Sun Mar 28 18:08:24 2021 +0200
cid#1474024 Untrusted loop bound
Change-Id: Ib646c3e55358442d4d5490e0c20564b35c7fb7d7
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/113236
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/sc/source/core/tool/autoform.cxx b/sc/source/core/tool/autoform.cxx
index 484236861152..2a3eee322087 100644
--- a/sc/source/core/tool/autoform.cxx
+++ b/sc/source/core/tool/autoform.cxx
@@ -868,6 +868,16 @@ void ScAutoFormat::Load()
sal_uInt16 nCnt = 0;
rStream.ReadUInt16( nCnt );
bRet = (rStream.GetError() == ERRCODE_NONE);
+
+ // there has to at least be a sal_uInt16 header
+ const size_t nMaxRecords = rStream.remainingSize() / sizeof(sal_uInt16);
+ if (nCnt > nMaxRecords)
+ {
+ SAL_WARN("sc", "Parsing error: " << nMaxRecords <<
+ " max possible entries, but " << nCnt << " claimed, truncating");
+ nCnt = nMaxRecords;
+ }
+
for (sal_uInt16 i=0; bRet && (i < nCnt); i++)
{
std::unique_ptr<ScAutoFormatData> pData(new ScAutoFormatData());
More information about the Libreoffice-commits
mailing list