From 109141a84f4a8076e2a906569e95a53f4306afa5 Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Sat, 16 Sep 2017 10:52:39 +0200
Subject: cid#1219687 sanitize loop bound

Change-Id: I6448038bdc54c7dd6a6e906d8d51a19c4a1a1ef3
---
 src/lib/FHParser.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/lib/FHParser.cpp b/src/lib/FHParser.cpp
index ec79fdf..585fa8c 100644
--- a/src/lib/FHParser.cpp
+++ b/src/lib/FHParser.cpp
@@ -1459,6 +1459,8 @@ void libfreehand::FHParser::readMultiColorList(librevenge::RVNGInputStream *inpu
   std::vector<FHColorStop> colorStops;
   unsigned short num = readU16(input);
   input->seek(2, librevenge::RVNG_SEEK_CUR);
+  if (num > getRemainingLength(input) / 10)
+    num = getRemainingLength(input) / 10;
   for (unsigned short i = 0; i < num; ++i)
   {
     FHColorStop colorStop;
-- 
cgit v1.2.3