[Libreoffice-commits] core.git: sc/source

Tue, 19 Nov 2019 13:18:13 -0800 

 sc/source/filter/excel/xistring.cxx |   11 +++++++++++
 sc/source/filter/inc/xistream.hxx   |    4 ++++
 2 files changed, 15 insertions(+)

New commits:
commit 03fe7f500f2ccfa5e6a41ad1c9b6b1d7d4403887
Author:     Caolán McNamara <caol...@redhat.com>
AuthorDate: Sun Nov 17 19:30:32 2019 +0000
Commit:     Caolán McNamara <caol...@redhat.com>
CommitDate: Tue Nov 19 22:16:50 2019 +0100

    cid#1448453 Untrusted value as argument
    
    Change-Id: I41a2f30df22b54e51acb593f340cb1ecf1c497b6
    Reviewed-on: https://gerrit.libreoffice.org/83037
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caol...@redhat.com>
    Tested-by: Caolán McNamara <caol...@redhat.com>

diff --git a/sc/source/filter/excel/xistring.cxx 
b/sc/source/filter/excel/xistring.cxx
index 096507ba8351..80b2e5140c21 100644
--- a/sc/source/filter/excel/xistring.cxx
+++ b/sc/source/filter/excel/xistring.cxx
@@ -113,6 +113,17 @@ void XclImpString::ReadFormats( XclImpStream& rStrm, 
XclFormatRunVec& rFormats )
 void XclImpString::ReadFormats( XclImpStream& rStrm, XclFormatRunVec& 
rFormats, sal_uInt16 nRunCount )
 {
     rFormats.clear();
+
+    size_t nElementSize = rStrm.GetRoot().GetBiff() == EXC_BIFF8 ? 4 : 2;
+    size_t nAvailableBytes = rStrm.GetRecLeft();
+    size_t nMaxElements = nAvailableBytes / nElementSize;
+    if (nRunCount > nMaxElements)
+    {
+        SAL_WARN("sc.filter", "XclImpString::ReadFormats - more formats 
claimed than stream could contain");
+        rStrm.SetSvStreamError(SVSTREAM_FILEFORMAT_ERROR);
+        return;
+    }
+
     rFormats.reserve( nRunCount );
     /*  #i33341# real life -- same character index may occur several times
         -> use AppendFormat() to validate formats */
diff --git a/sc/source/filter/inc/xistream.hxx 
b/sc/source/filter/inc/xistream.hxx
index 15cde8c9a911..855ff2c3219c 100644
--- a/sc/source/filter/inc/xistream.hxx
+++ b/sc/source/filter/inc/xistream.hxx
@@ -466,6 +466,10 @@ public:
     /** Restores stream position contained in rPos. */
     void                RestorePosition( const XclImpStreamPos& rPos );
 
+    /** Set an SVSTREAM_..._ERROR. */
+    void                SetSvStreamError( const ErrCode& rErrCode )
+                            { mrStrm.SetError( rErrCode ); }
+
 private:
     /** Seeks to next raw record header and reads record ID and size.
         @descr  This is a "raw" function, means that stream members are
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

Reply via email to