[Libreoffice-commits] core.git: sd/source
Caolán McNamara (via logerrit)
logerrit at kemper.freedesktop.org
Sun Mar 28 16:09:26 UTC 2021
sd/source/filter/html/pubdlg.cxx | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
New commits:
commit 84aec8629e4ded68e7417836b9d73fb801df0c45
Author: Caolán McNamara <caolanm at redhat.com>
AuthorDate: Sat Mar 27 21:06:15 2021 +0000
Commit: Caolán McNamara <caolanm at redhat.com>
CommitDate: Sun Mar 28 18:08:43 2021 +0200
cid#1474092 Untrusted loop bound
Change-Id: I0a068e98a1d8d8523f188310025808143a5dbcf4
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/113237
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/sd/source/filter/html/pubdlg.cxx b/sd/source/filter/html/pubdlg.cxx
index 5fe558f1dd22..47a904bc098e 100644
--- a/sd/source/filter/html/pubdlg.cxx
+++ b/sd/source/filter/html/pubdlg.cxx
@@ -24,6 +24,7 @@
#include <vcl/image.hxx>
#include <vcl/svapp.hxx>
#include <vcl/weld.hxx>
+#include <sal/log.hxx>
#include <svtools/valueset.hxx>
#include <svtools/colrdlg.hxx>
#include <tools/debug.hxx>
@@ -1444,8 +1445,17 @@ void SdPublishingDlg::Load()
SdIOCompat aIO(*pStream, StreamMode::READ);
- sal_uInt16 nDesigns;
- pStream->ReadUInt16( nDesigns );
+ sal_uInt16 nDesigns(0);
+ pStream->ReadUInt16(nDesigns);
+
+ // there has to at least be a sal_uInt16 header in each design
+ const size_t nMaxRecords = pStream->remainingSize() / sizeof(sal_uInt16);
+ if (nDesigns > nMaxRecords)
+ {
+ SAL_WARN("sd", "Parsing error: " << nMaxRecords <<
+ " max possible entries, but " << nDesigns << " claimed, truncating");
+ nDesigns = nMaxRecords;
+ }
for( sal_uInt16 nIndex = 0;
pStream->GetError() == ERRCODE_NONE && nIndex < nDesigns;
More information about the Libreoffice-commits
mailing list