source

Caolán McNamara Wed, 05 Nov 2014 13:04:33 -0800

 basic/source/basmgr/basmgr.cxx                       |   10 +++++++++-
 basic/source/classes/image.cxx                       |   11 ++++++++++-
 basic/source/classes/sb.cxx                          |   12 ++++++++++--
 dbaccess/source/core/dataaccess/databasedocument.cxx |   19 +++++++++++++++++--
 editeng/source/editeng/editobj.cxx                   |   18 +++++++++++++-----
 sc/source/core/data/documen8.cxx                     |   16 ++++++++++++++--
 sw/source/uibase/uiview/srcview.cxx                  |    6 +++---
 7 files changed, 76 insertions(+), 16 deletions(-)


New commits:
commit ff1aae469f6521b67e51c9e77415ba847eed69e8
Author: CaolÃ¡n McNamara <caol...@redhat.com>
Date:   Wed Nov 5 17:22:36 2014 +0000

    coverity#1242614 Untrusted loop bound
    
    Change-Id: I913e14d30d54b4b370c14017b0702005c23c4fc4

diff --git a/sc/source/core/data/documen8.cxx b/sc/source/core/data/documen8.cxx
index f6132be..ee3bd90 100644
--- a/sc/source/core/data/documen8.cxx
+++ b/sc/source/core/data/documen8.cxx
@@ -757,9 +757,21 @@ void ScDocument::LoadDdeLinks(SvStream& rStream)
 
     ScMultipleReadHeader aHdr( rStream );
 
-    sal_uInt16 nCount;
+    sal_uInt16 nCount(0);
     rStream.ReadUInt16( nCount );
-    for (sal_uInt16 i=0; i<nCount; i++)
+
+    const rtl_TextEncoding eCharSet = rStream.GetStreamCharSet();
+    const size_t nMinStringSize = eCharSet == RTL_TEXTENCODING_UNICODE ? 
sizeof(sal_uInt32) : sizeof(sal_uInt16);
+    const size_t nMinRecordSize = 1 + nMinStringSize*3;
+    const size_t nMaxRecords = rStream.remainingSize() / nMinRecordSize;
+    if (nCount > nMaxRecords)
+    {
+        SAL_WARN("sc", "Parsing error: " << nMaxRecords <<
+                 " max possible entries, but " << nCount << " claimed, 
truncating");
+        nCount = nMaxRecords;
+    }
+
+    for (sal_uInt16 i=0; i<nCount; ++i)
     {
         ScDdeLink* pLink = new ScDdeLink( this, rStream, aHdr );
         pMgr->InsertDDELink(pLink, pLink->GetAppl(), pLink->GetTopic(), 
pLink->GetItem());
commit eee29076a141d200b8ce6b2792c698bbbfb80118
Author: CaolÃ¡n McNamara <caol...@redhat.com>
Date:   Wed Nov 5 16:59:13 2014 +0000

    coverity#1242632 Untrusted loop bound
    
    Change-Id: I4ec2e1a21a6a27c31c3308a5f72dbdcb33a62f39

diff --git a/editeng/source/editeng/editobj.cxx 
b/editeng/source/editeng/editobj.cxx
index 33ecb67..9c1da0e 100644
--- a/editeng/source/editeng/editobj.cxx
+++ b/editeng/source/editeng/editobj.cxx
@@ -1288,17 +1288,25 @@ void EditTextObjectImpl::CreateData( SvStream& rIStream 
)
         pC->GetParaAttribs().Load( rIStream );
 
         // The number of attributes ...
-        sal_uInt16 nTmp16;
+        sal_uInt16 nTmp16(0);
         rIStream.ReadUInt16( nTmp16 );
         size_t nAttribs = nTmp16;
 
+        const size_t nMinRecordSize(10);
+        const size_t nMaxRecords = rIStream.remainingSize() / nMinRecordSize;
+        if (nAttribs > nMaxRecords)
+        {
+            SAL_WARN("editeng", "Parsing error: " << nMaxRecords <<
+                     " max possible entries, but " << nAttribs << " claimed, 
truncating");
+            nAttribs = nMaxRecords;
+        }
+
         // And the individual attributes
         // Items as Surregate => always 8 bytes per Attributes
         // Which = 2; Surregat = 2; Start = 2; End = 2;
-        size_t nAttr;
-        for (nAttr = 0; nAttr < nAttribs; ++nAttr)
+        for (size_t nAttr = 0; nAttr < nAttribs; ++nAttr)
         {
-            sal_uInt16 _nWhich, nStart, nEnd;
+            sal_uInt16 _nWhich(0), nStart(0), nEnd(0);
             const SfxPoolItem* pItem;
 
             rIStream.ReadUInt16( _nWhich );
@@ -1345,7 +1353,7 @@ void EditTextObjectImpl::CreateData( SvStream& rIStream )
             }
         }
 
-        for (nAttr = pC->aAttribs.size(); nAttr; )
+        for (size_t nAttr = pC->aAttribs.size(); nAttr; )
         {
             const XEditAttribute& rAttr = pC->aAttribs[--nAttr];
             if ( rAttr.GetItem()->Which() == EE_CHAR_FONTINFO )
commit 712d781538880d96a511d0b1323283a4112c93cc
Author: CaolÃ¡n McNamara <caol...@redhat.com>
Date:   Wed Nov 5 16:53:46 2014 +0000

    coverity#706401 Uncaught exception
    
    Change-Id: Iacbaf56a23d6f1878c5a5ec6f00db8211cb8ed62

diff --git a/dbaccess/source/core/dataaccess/databasedocument.cxx 
b/dbaccess/source/core/dataaccess/databasedocument.cxx
index fd62f8a..cac2576 100644
--- a/dbaccess/source/core/dataaccess/databasedocument.cxx
+++ b/dbaccess/source/core/dataaccess/databasedocument.cxx
@@ -45,6 +45,7 @@
 #include <com/sun/star/io/XSeekable.hpp>
 #include <com/sun/star/io/XOutputStream.hpp>
 #include <com/sun/star/io/XTruncate.hpp>
+#include <com/sun/star/lang/WrappedTargetRuntimeException.hpp>
 #include <com/sun/star/script/provider/theMasterScriptProviderFactory.hpp>
 #include <com/sun/star/sdb/DatabaseContext.hpp>
 #include <com/sun/star/sdb/application/XDatabaseDocumentUI.hpp>
@@ -755,7 +756,21 @@ void SAL_CALL ODatabaseDocument::recoverFromFile( const 
OUString& i_SourceLocati
 sal_Bool SAL_CALL ODatabaseDocument::attachResource( const OUString& _rURL, 
const Sequence< PropertyValue >& _rArguments ) throw (RuntimeException, 
std::exception)
 {
     DocumentGuard aGuard( *this, DocumentGuard::MethodUsedDuringInit );
-    return impl_attachResource( _rURL, _rArguments, aGuard );
+    sal_Bool bRet(sal_False);
+    try
+    {
+        bRet = impl_attachResource( _rURL, _rArguments, aGuard );
+    }
+    catch( const RuntimeException& )
+    {
+        throw;
+    }
+    catch( const Exception& )
+    {
+        Any aError = ::cppu::getCaughtException();
+        throw WrappedTargetRuntimeException( OUString(), *this, aError );
+    }
+    return bRet;
 }
 
 bool ODatabaseDocument::impl_attachResource( const OUString& 
i_rLogicalDocumentURL,
commit 68016b4407e3363b4ce4c54c3c653d7574283528
Author: CaolÃ¡n McNamara <caol...@redhat.com>
Date:   Wed Nov 5 16:42:36 2014 +0000

    coverity#706388 Uncaught exception
    
    Change-Id: I4382645e47ae81e3f15bf69aaa2432dcebd40712

diff --git a/dbaccess/source/core/dataaccess/databasedocument.cxx 
b/dbaccess/source/core/dataaccess/databasedocument.cxx
index 993262b..fd62f8a 100644
--- a/dbaccess/source/core/dataaccess/databasedocument.cxx
+++ b/dbaccess/source/core/dataaccess/databasedocument.cxx
@@ -1152,7 +1152,7 @@ void SAL_CALL ODatabaseDocument::storeAsURL( const 
OUString& _rURL, const Sequen
     bool bImplicitInitialization = !impl_isInitialized();
     // implicit initialization while another initialization is just running is 
not possible
     if ( bImplicitInitialization && impl_isInitializing() )
-        throw DoubleInitializationException();
+        throw RuntimeException();
 
     if ( bImplicitInitialization )
         impl_setInitializing();
commit 7d6c07fa2b48376013b9f8784496d9c1207708f2
Author: CaolÃ¡n McNamara <caol...@redhat.com>
Date:   Wed Nov 5 16:37:27 2014 +0000

    coverity#1242689 Untrusted loop bound
    
    Change-Id: Ie226805ef8d430eb3f7b3abaa54ac3af31f72f7b

diff --git a/basic/source/basmgr/basmgr.cxx b/basic/source/basmgr/basmgr.cxx
index 1505652..b0f0521 100644
--- a/basic/source/basmgr/basmgr.cxx
+++ b/basic/source/basmgr/basmgr.cxx
@@ -860,7 +860,15 @@ void BasicManager::LoadBasicManager( SotStorage& rStorage, 
const OUString& rBase
         DBG_ASSERT( false, "BasicManager-Stream defect!" );
         return;
     }
-    for ( sal_uInt16 nL = 0; nL < nLibs; nL++ )
+    const size_t nMinBasicLibSize(8);
+    const size_t nMaxPossibleLibs = xManagerStream->remainingSize() / 
nMinBasicLibSize;
+    if (nLibs > nMaxPossibleLibs)
+    {
+        SAL_WARN("basic", "Parsing error: " << nMaxPossibleLibs <<
+                 " max possible entries, but " << nLibs << " claimed, 
truncating");
+        nLibs = nMaxPossibleLibs;
+    }
+    for (sal_uInt16 nL = 0; nL < nLibs; ++nL)
     {
         BasicLibInfo* pInfo = BasicLibInfo::Create( *xManagerStream );
 
commit 1409c0bd884ffc2c9fb656fe61ac62d759bc436d
Author: CaolÃ¡n McNamara <caol...@redhat.com>
Date:   Wed Nov 5 16:33:55 2014 +0000

    coverity#1242865 Untrusted loop bound
    
    Change-Id: I9dc9cd98d0a02a2867d4c40c7afb7bf873513143

diff --git a/basic/source/classes/image.cxx b/basic/source/classes/image.cxx
index 7a15cce..1543cae 100644
--- a/basic/source/classes/image.cxx
+++ b/basic/source/classes/image.cxx
@@ -156,7 +156,16 @@ bool SbiImage::Load( SvStream& r, sal_uInt32& nVersion )
             }
             case B_EXTSOURCE:
             {
-                for( sal_uInt16 j = 0 ; j < nCount ; j++ )
+                //assuming an empty string with just the lead 32bit/16bit len 
indicator
+                const size_t nMinStringSize = (eCharSet == 
RTL_TEXTENCODING_UNICODE) ? 4 : 2;
+                const size_t nMaxStrings = r.remainingSize() / nMinStringSize;
+                if (nCount > nMaxStrings)
+                {
+                    SAL_WARN("basic", "Parsing error: " << nMaxStrings <<
+                             " max possible entries, but " << nCount << " 
claimed, truncating");
+                    nCount = nMaxStrings;
+                }
+                for( sal_uInt16 j = 0; j < nCount; ++j)
                 {
                     aOUSource += r.ReadUniOrByteString(eCharSet);
                 }
commit 5b0c95d81eb4c311d80aabaa1cfe16bc1b426111
Author: CaolÃ¡n McNamara <caol...@redhat.com>
Date:   Wed Nov 5 16:16:14 2014 +0000

    coverity#1242794 Untrusted loop bound
    
    Change-Id: I902a5bf989a8f385994a2f927cce4975b18f06d2

diff --git a/basic/source/classes/sb.cxx b/basic/source/classes/sb.cxx
index 5a88c3d..8c2155e 100644
--- a/basic/source/classes/sb.cxx
+++ b/basic/source/classes/sb.cxx
@@ -1895,10 +1895,18 @@ bool StarBASIC::LoadData( SvStream& r, sal_uInt16 nVer )
     }
     ppDeleteTab.reset();
 
-    sal_uInt16 nMod;
+    sal_uInt16 nMod(0);
     pModules->Clear();
     r.ReadUInt16( nMod );
-    for( sal_uInt16 i = 0; i < nMod; i++ )
+    const size_t nMinSbxSize(14);
+    const size_t nMaxPossibleEntries = r.remainingSize() / nMinSbxSize;
+    if (nMod > nMaxPossibleEntries)
+    {
+        nMod = nMaxPossibleEntries;
+        SAL_WARN("basic", "Parsing error: " << nMaxPossibleEntries <<
+                 " max possible entries, but " << nMod << " claimed, 
truncating");
+    }
+    for (sal_uInt16 i = 0; i < nMod; ++i)
     {
         SbxBase* pBase = SbxBase::Load( r );
         SbModule* pMod = dynamic_cast<SbModule*>(pBase);
commit 4a83b67e3c3dc8bceb6602ce155f2463f72f4855
Author: CaolÃ¡n McNamara <caol...@redhat.com>
Date:   Wed Nov 5 16:10:18 2014 +0000

    coverity#735652 Division or modulo by zero
    
    and
    
    coverity#735651 Division or modulo by zero
    
    Change-Id: I412308ef3e736b1e9c72d1dd3a8d80d2dce92d67

diff --git a/sw/source/uibase/uiview/srcview.cxx 
b/sw/source/uibase/uiview/srcview.cxx
index 0a21851..9ba50da 100644
--- a/sw/source/uibase/uiview/srcview.cxx
+++ b/sw/source/uibase/uiview/srcview.cxx
@@ -721,9 +721,9 @@ sal_Int32 SwSrcView::PrintSource(
     aPaperSz.Height() -= (TMARGPRN + BMARGPRN);
 
     // nLinepPage is not true, if lines have to be wrapped...
-    const long nLinespPage = aPaperSz.Height() / nLineHeight;
-    const sal_Int32 nCharspLine =
-        static_cast<sal_Int32>(aPaperSz.Width() / pOutDev->GetTextWidth("X"));
+    const long nLinespPage = nLineHeight ? aPaperSz.Height() / nLineHeight : 1;
+    const long nCharWidth = pOutDev->GetTextWidth("X");
+    const sal_Int32 nCharspLine = nCharWidth ? 
static_cast<sal_Int32>(aPaperSz.Width() / nCharWidth) : 1;
     const sal_uLong nParas = pTextEngine->GetParagraphCount();
 
     const sal_Int32 nPages = static_cast<sal_Int32>(nParas / nLinespPage + 1 );

_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: 8 commits - basic/source dbaccess/source editeng/source sc/source sw/source

Reply via email to