coverity#1242624 Untrusted loop bound

Change-Id: If2ae1982eec100f5602a13d648beec247ced6aa2

coverity#1242624 Untrusted loop bound
Change-Id: If2ae1982eec100f5602a13d648beec247ced6aa2
711e7454 · Caolán McNamara · a4e01070 · 711e7454
Kaydet (Commit) 711e7454 authored Eki 17, 2014 tarafından Caolán McNamara
Hide whitespace changes
Inline Side-by-side

Showing with 44 additions and 20 deletions

msdffimp.cxx filter/source/msfilter/msdffimp.cxx +44 -20

No files found.
--- a/filter/source/msfilter/msdffimp.cxx
+++ b/filter/source/msfilter/msdffimp.cxx
@@ -1905,7 +1905,13 @@ void DffPropertyReader::ApplyCustomShapeGeometryAttributes( SvStream& rIn, SfxIt
            sal_uInt16 nNumElemMem = 0;
            rIn.ReadUInt16( nNumElem ).ReadUInt16( nNumElemMem ).ReadUInt16( nElemSize );
        }
-        if ( nElemSize == 36 )
+        bool bImport = false;
+        if (nElemSize == 36)
+        {
+            //sanity check that the stream is long enough to fulfill nNumElem * nElemSize;
+            bImport = rIn.remainingSize() / nElemSize >= nNumElem;
+        }
+        if (bImport)
        {
            uno::Sequence< beans::PropertyValues > aHandles( nNumElem );
            for ( sal_uInt16 i = 0; i < nNumElem; i++ )
@@ -2317,12 +2323,19 @@ void DffPropertyReader::ApplyCustomShapeGeometryAttributes( SvStream& rIn, SfxIt
                sal_uInt16 nNumElemMem = 0;
                rIn.ReadUInt16( nNumElem ).ReadUInt16( nNumElemMem ).ReadUInt16( nElemSize );
            }
-            if ( nElemSize == 16 )
+            bool bImport = false;
+            if (nElemSize == 16)
+            {
+                //sanity check that the stream is long enough to fulfill nNumElem * nElemSize;
+                bImport = rIn.remainingSize() / nElemSize >= nNumElem;
+            }
+            if (bImport)
            {
-                sal_Int32 nLeft, nTop, nRight, nBottom;
                com::sun::star::uno::Sequence< com::sun::star::drawing::EnhancedCustomShapeTextFrame > aTextFrames( nNumElem );
-                for ( sal_uInt16 i = 0; i < nNumElem; i++ )
+                for (sal_uInt16 i = 0; i < nNumElem; ++i)
                {
+                    sal_Int32 nLeft(0), nTop(0), nRight(0), nBottom(0);
                    rIn.ReadInt32( nLeft )
                       .ReadInt32( nTop )
                       .ReadInt32( nRight )
@@ -2350,26 +2363,37 @@ void DffPropertyReader::ApplyCustomShapeGeometryAttributes( SvStream& rIn, SfxIt
            if ( SeekToContent( DFF_Prop_connectorPoints, rIn ) )
                rIn.ReadUInt16( nNumElemVert ).ReadUInt16( nNumElemMemVert ).ReadUInt16( nElemSizeVert );
-            sal_Int32 nX, nY;
+            bool bImport = false;
-            sal_Int16 nTmpA, nTmpB;
+            if (nNumElemVert)
-            aGluePoints.realloc( nNumElemVert );
-            for ( sal_uInt16 i = 0; i < nNumElemVert; i++ )
            {
-                if ( nElemSizeVert == 8 )
+                //sanity check that the stream is long enough to fulfill nNumElemVert * nElemSizeVert;
-                {
+                bImport = rIn.remainingSize() / nElemSizeVert >= nNumElemVert;
-                    rIn.ReadInt32( nX )
+            }
-                       .ReadInt32( nY );
-                }
+            if (bImport)
-                else
+            {
+                aGluePoints.realloc( nNumElemVert );
+                for (sal_uInt16 i = 0; i < nNumElemVert; ++i)
                {
-                    rIn.ReadInt16( nTmpA )
+                    sal_Int32 nX(0), nY(0);
-                       .ReadInt16( nTmpB );
+                    if ( nElemSizeVert == 8 )
+                    {
+                        rIn.ReadInt32( nX )
+                           .ReadInt32( nY );
+                    }
+                    else
+                    {
+                        sal_Int16 nTmpA(0), nTmpB(0);
-                    nX = nTmpA;
+                        rIn.ReadInt16( nTmpA )
-                    nY = nTmpB;
+                           .ReadInt16( nTmpB );
+                        nX = nTmpA;
+                        nY = nTmpB;
+                    }
+                    EnhancedCustomShape2d::SetEnhancedCustomShapeParameter( aGluePoints[ i ].First,  nX );
+                    EnhancedCustomShape2d::SetEnhancedCustomShapeParameter( aGluePoints[ i ].Second, nY );
                }
-                EnhancedCustomShape2d::SetEnhancedCustomShapeParameter( aGluePoints[ i ].First,  nX );
-                EnhancedCustomShape2d::SetEnhancedCustomShapeParameter( aGluePoints[ i ].Second, nY );
            }
            const OUString sGluePoints( "GluePoints" );
            aProp.Name = sGluePoints;