[Libreoffice-commits] core.git: sc/source

Tue, 13 Apr 2021 11:49:42 -0700 

 sc/source/filter/excel/xiescher.cxx |   18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

New commits:
commit 30592cd43f700a378ccb8538db25c2c15388d95c
Author:     Caolán McNamara <caol...@redhat.com>
AuthorDate: Sat Apr 10 12:49:15 2021 +0100
Commit:     Caolán McNamara <caol...@redhat.com>
CommitDate: Tue Apr 13 20:48:44 2021 +0200

    cid#1474366 Untrusted loop bound
    
    Change-Id: I943a65dcd0b8d4b1fcd9e7b8626e225159fa1d41
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/114017
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caol...@redhat.com>

diff --git a/sc/source/filter/excel/xiescher.cxx 
b/sc/source/filter/excel/xiescher.cxx
index 231f0097148c..8afe83370ceb 100644
--- a/sc/source/filter/excel/xiescher.cxx
+++ b/sc/source/filter/excel/xiescher.cxx
@@ -907,11 +907,13 @@ void XclImpDrawObjBase::ImplReadObj8( XclImpStream& rStrm 
)
     rStrm.Seek( EXC_REC_SEEK_TO_BEGIN );
 
     bool bLoop = true;
-    while( bLoop && (rStrm.GetRecLeft() >= 4) )
+    while (bLoop)
     {
-        sal_uInt16 nSubRecId, nSubRecSize;
-        nSubRecId = rStrm.ReaduInt16();
-        nSubRecSize = rStrm.ReaduInt16();
+        if (rStrm.GetRecLeft() < 4)
+            break;
+
+        sal_uInt16 nSubRecId = rStrm.ReaduInt16();
+        sal_uInt16 nSubRecSize = rStrm.ReaduInt16();
         rStrm.PushPosition();
         // sometimes the last subrecord has an invalid length (OBJLBSDATA) -> 
min()
         nSubRecSize = static_cast< sal_uInt16 >( ::std::min< std::size_t >( 
nSubRecSize, rStrm.GetRecLeft() ) );
@@ -961,8 +963,14 @@ void XclImpDrawObjBase::ImplReadObj8( XclImpStream& rStrm )
     sal_uInt32 nDataSize = rStrm.ReaduInt32();
     nDataSize -= rStrm.GetRecLeft();
     // skip following CONTINUE records until IMGDATA ends
-    while( (nDataSize > 0) && (rStrm.GetNextRecId() == EXC_ID_CONT) && 
rStrm.StartNextRecord() )
+    while (true)
     {
+        if (!nDataSize)
+            break;
+        if (rStrm.GetNextRecId() != EXC_ID_CONT)
+            break;
+        if (!rStrm.StartNextRecord())
+            break;
         OSL_ENSURE( nDataSize >= rStrm.GetRecLeft(), 
"XclImpDrawObjBase::ImplReadObj8 - CONTINUE too long" );
         nDataSize -= ::std::min< sal_uInt32 >( rStrm.GetRecLeft(), nDataSize );
     }
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

Reply via email to