[Libreoffice-commits] core.git: sc/source

Caolán McNamara (via logerrit) logerrit at kemper.freedesktop.org
Mon Mar 29 12:04:59 UTC 2021 

 sc/source/filter/excel/xltoolbar.cxx |   28 +++++++++++++++++++++++-----
 1 file changed, 23 insertions(+), 5 deletions(-)

New commits:
commit e2581a9a20112af171ec22ad23d52671f8f94c94
Author:     Caolán McNamara <caolanm at redhat.com>
AuthorDate: Mon Mar 29 10:41:00 2021 +0100
Commit:     Caolán McNamara <caolanm at redhat.com>
CommitDate: Mon Mar 29 14:04:21 2021 +0200

    cid#1473732 Untrusted loop bound
    
    Change-Id: I92d10d08bbbb8b7bcf57ddf2a300893c139c8c3a
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/113303
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/sc/source/filter/excel/xltoolbar.cxx b/sc/source/filter/excel/xltoolbar.cxx
index b15006a36813..f94f96f50033 100644
--- a/sc/source/filter/excel/xltoolbar.cxx
+++ b/sc/source/filter/excel/xltoolbar.cxx
@@ -82,10 +82,15 @@ bool ScCTB::Read( SvStream &rS )
     nOffSet = rS.Tell();
     tb.Read( rS );
 
-    const size_t nMinRecordSize = 20; // TBVisualData reads 20 bytes
-    const size_t nMaxPossibleRecords = rS.remainingSize() / nMinRecordSize;
-    if (nViews > nMaxPossibleRecords)
-        return false;
+    {
+        const size_t nMinRecordSize = 20; // TBVisualData reads 20 bytes
+        const size_t nMaxPossibleRecords = rS.remainingSize() / nMinRecordSize;
+        if (nViews > nMaxPossibleRecords)
+        {
+            SAL_WARN("sc.filter", "ScCTB::Read more entries claimed than stream could contain");
+            return false;
+        }
+    }
 
     for ( sal_uInt16 index = 0; index < nViews; ++index )
     {
@@ -95,7 +100,20 @@ bool ScCTB::Read( SvStream &rS )
     }
     rS.ReadUInt32( ectbid );
 
-    for ( sal_Int16 index = 0; index < tb.getcCL(); ++index )
+    sal_Int16 nIndexes = tb.getcCL();
+
+    if (nIndexes > 0)
+    {
+        const size_t nMinRecordSize = 11; // ScTBC's TBCHeader reads min 11 bytes
+        const size_t nMaxPossibleRecords = rS.remainingSize() / nMinRecordSize;
+        if (o3tl::make_unsigned(nIndexes) > nMaxPossibleRecords)
+        {
+            SAL_WARN("sc.filter", "ScCTB::Read more entries claimed than stream could contain");
+            return false;
+        }
+    }
+
+    for ( sal_Int16 index = 0; index < nIndexes; ++index )
     {
         ScTBC aTBC;
         aTBC.Read( rS );

More information about the Libreoffice-commits mailing list