[Libreoffice-commits] core.git: basic/source

[Caolán McNamara (via logerrit)]

 basic/source/sbx/sbxarray.cxx |   14 +++++++++++++-
 basic/source/sbx/sbxbase.cxx  |    6 +++---
 2 files changed, 16 insertions(+), 4 deletions(-)

New commits:
commit e96b6f8a8c588e9cc14bf583cf9c48e693c83751
Author:     Caolán McNamara <caolanm at redhat.com>
AuthorDate: Mon Mar 29 11:00:51 2021 +0100
Commit:     Caolán McNamara <caolanm at redhat.com>
CommitDate: Mon Mar 29 15:02:46 2021 +0200

    cid#1474044 Untrusted loop bound
    
    Change-Id: Ibb20ffc2219c25add421cd4803e80b15b131c93b
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/113306
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/basic/source/sbx/sbxarray.cxx b/basic/source/sbx/sbxarray.cxx
index f531803f617a..fa2a2aa69f9a 100644
--- a/basic/source/sbx/sbxarray.cxx
+++ b/basic/source/sbx/sbxarray.cxx
@@ -531,8 +531,20 @@ SbxVariable* SbxDimArray::Get( SbxArray* pPar )
 
 bool SbxDimArray::LoadData( SvStream& rStrm, sal_uInt16 nVer )
 {
-    short nDimension;
+    short nDimension(0);
     rStrm.ReadInt16( nDimension );
+
+    if (nDimension > 0)
+    {
+        const size_t nMinRecordSize = 4;
+        const size_t nMaxPossibleRecords = rStrm.remainingSize() / nMinRecordSize;
+        if (o3tl::make_unsigned(nDimension) > nMaxPossibleRecords)
+        {
+            SAL_WARN("basic", "SbxDimArray::LoadData more entries claimed than stream could contain");
+            return false;
+        }
+    }
+
     for( short i = 0; i < nDimension && rStrm.GetError() == ERRCODE_NONE; i++ )
     {
         sal_Int16 lb(0), ub(0);
diff --git a/basic/source/sbx/sbxbase.cxx b/basic/source/sbx/sbxbase.cxx
index 0e057540c8bc..b57c9bdb9008 100644
--- a/basic/source/sbx/sbxbase.cxx
+++ b/basic/source/sbx/sbxbase.cxx
@@ -180,8 +180,8 @@ SbxObject* SbxBase::CreateObject( const OUString& rClass )
 
 SbxBase* SbxBase::Load( SvStream& rStrm )
 {
-    sal_uInt16 nSbxId, nFlagsTmp, nVer;
-    sal_uInt32 nCreator, nSize;
+    sal_uInt16 nSbxId(0), nFlagsTmp(0), nVer(0);
+    sal_uInt32 nCreator(0), nSize(0);
     rStrm.ReadUInt32( nCreator ).ReadUInt16( nSbxId ).ReadUInt16( nFlagsTmp ).ReadUInt16( nVer );
     SbxFlagBits nFlags = static_cast<SbxFlagBits>(nFlagsTmp);
 
@@ -297,7 +297,7 @@ void SbxInfo::LoadData( SvStream& rStrm, sal_uInt16 nVer )
     rStrm.ReadUInt32( nHelpId ).ReadUInt16( nParam );
     while( nParam-- )
     {
-        sal_uInt16 nType, nFlagsTmp;
+        sal_uInt16 nType(0), nFlagsTmp(0);
         sal_uInt32 nUserData = 0;
         OUString aName = read_uInt16_lenPrefixed_uInt8s_ToOUString(rStrm,
             RTL_TEXTENCODING_ASCII_US);