From d2473faee119c35b518849afe3daa6977a751c68 Mon Sep 17 00:00:00 2001
From: Eike Rathke <erack@redhat.com>
Date: Wed, 31 Jan 2018 18:00:15 +0100
Subject: [PATCH] ofz: guard against binary crap argument counts and ID/OpCode
 generation

Same as in sc/source/filter/lotus/lotform.cxx LotusToSc::DoFunc()

Change-Id: I4972e065ab96abdea42d64481d4e30674230ab99
---
 sc/source/filter/qpro/qproform.cxx | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/sc/source/filter/qpro/qproform.cxx b/sc/source/filter/qpro/qproform.cxx
index 6a2a22c1be95..6555a7842037 100644
--- a/sc/source/filter/qpro/qproform.cxx
+++ b/sc/source/filter/qpro/qproform.cxx
@@ -94,8 +94,12 @@ void QProToSc::DoFunc( DefTokenId eOc, sal_uInt16 nArgs, const sal_Char* pExtStr
 
     if( nArgs < nBufSize )
     {
-        for( nCount = 0; nCount < nArgs ; nCount++ )
+        for( nCount = 0; nCount < nArgs && aStack.HasMoreTokens() ; nCount++ )
             aStack >> eParam[ nCount ];
+
+        if (nCount < nArgs)
+            // Adapt count to reality. All sort of binary crap is possible.
+            nArgs = static_cast<sal_uInt16>(nCount);
     }
     else
         return;