[Libreoffice-commits] core.git: sd/source

Caolán McNamara (via logerrit) logerrit at kemper.freedesktop.org
Sun Mar 28 16:09:26 UTC 2021


 sd/source/filter/html/pubdlg.cxx |   14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

New commits:
commit 84aec8629e4ded68e7417836b9d73fb801df0c45
Author:     Caolán McNamara <caolanm at redhat.com>
AuthorDate: Sat Mar 27 21:06:15 2021 +0000
Commit:     Caolán McNamara <caolanm at redhat.com>
CommitDate: Sun Mar 28 18:08:43 2021 +0200

    cid#1474092 Untrusted loop bound
    
    Change-Id: I0a068e98a1d8d8523f188310025808143a5dbcf4
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/113237
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/sd/source/filter/html/pubdlg.cxx b/sd/source/filter/html/pubdlg.cxx
index 5fe558f1dd22..47a904bc098e 100644
--- a/sd/source/filter/html/pubdlg.cxx
+++ b/sd/source/filter/html/pubdlg.cxx
@@ -24,6 +24,7 @@
 #include <vcl/image.hxx>
 #include <vcl/svapp.hxx>
 #include <vcl/weld.hxx>
+#include <sal/log.hxx>
 #include <svtools/valueset.hxx>
 #include <svtools/colrdlg.hxx>
 #include <tools/debug.hxx>
@@ -1444,8 +1445,17 @@ void SdPublishingDlg::Load()
 
     SdIOCompat aIO(*pStream, StreamMode::READ);
 
-    sal_uInt16 nDesigns;
-    pStream->ReadUInt16( nDesigns );
+    sal_uInt16 nDesigns(0);
+    pStream->ReadUInt16(nDesigns);
+
+    // there has to at least be a sal_uInt16 header in each design
+    const size_t nMaxRecords = pStream->remainingSize() / sizeof(sal_uInt16);
+    if (nDesigns > nMaxRecords)
+    {
+        SAL_WARN("sd", "Parsing error: " << nMaxRecords <<
+                 " max possible entries, but " << nDesigns << " claimed, truncating");
+        nDesigns = nMaxRecords;
+    }
 
     for( sal_uInt16 nIndex = 0;
          pStream->GetError() == ERRCODE_NONE && nIndex < nDesigns;


More information about the Libreoffice-commits mailing list