From 43518b29fddc7b824bdb1f7c8d2efcd220d6bc72 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Tue, 3 Mar 2020 10:30:51 +0000
Subject: [PATCH] cid#1458434 Untrusted loop bound
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Change-Id: I3fd06ddf1548c1d6b5d8e91db944d2c720040718
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/89873
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
---
 filter/source/graphicfilter/ipict/ipict.cxx | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/filter/source/graphicfilter/ipict/ipict.cxx b/filter/source/graphicfilter/ipict/ipict.cxx
index bbd59c055d34..fe9475d36170 100644
--- a/filter/source/graphicfilter/ipict/ipict.cxx
+++ b/filter/source/graphicfilter/ipict/ipict.cxx
@@ -1078,6 +1078,9 @@ sal_uInt64 PictReader::ReadPixMapEtc( BitmapEx &rBitmap, bool bBaseAddr, bool bC
 
                 pBitmap.reset(new vcl::bitmap::RawBitmap( Size(nWidth, nHeight), 24 ));
 
+                // cid#1458434 to sanitize Untrusted loop bound
+                nWidth = pBitmap->Width();
+
                 size_t nByteWidth = static_cast<size_t>(nWidth) * nCmpCount;
                 std::vector<sal_uInt8> aScanline(nByteWidth);
                 for (sal_uInt16 ny = 0; ny < nHeight; ++ny)