reject invalid tiff dimensions

Change-Id: I64e77f12cb016a7f4a9d21c732aaeaae7959da76 (cherry picked from commit 34d062147c16090fa42c27ac7960e3f5e3b65d2b) Reviewed-on: https://gerrit.libreoffice.org/17257 Reviewed-by: Adolfo Jayme Barrientos <fitojb@ubuntu.com> Tested-by: Adolfo Jayme Barrientos <fitojb@ubuntu.com>
author: Caolán McNamara <caolanm@redhat.com> 2015-07-21 10:10:50 +0100
committer: Adolfo Jayme Barrientos <fitojb@ubuntu.com> 2015-07-21 10:12:09 +0000
commit: 64bb6065a3ae74550a513426308f00b05365086b (patch)
tree: 01f24a9734d1e46c1d71e3c8d0a074ceac4b78da /filter
parent: 20f8d8318f28af46f29386f2dca54b5d7b127caa (diff)
2 files changed, 2 insertions, 0 deletions
diff --git a/filter/qa/cppunit/data/tiff/fail/crash-7.tiff b/filter/qa/cppunit/data/tiff/fail/crash-7.tiff
new file mode 100644
index 000000000000..0056f9dcb8d5
--- /dev/null
+++ b/filter/qa/cppunit/data/tiff/fail/crash-7.tiff
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx
index 180b1c379003..c730e81b38a6 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -1330,6 +1330,8 @@ bool TIFFReader::ReadTIFF(SvStream & rTIFF, Graphic & rGraphic )
             }
             if ( !nBitsPerSample || ( nBitsPerSample > 32 ) )
                 bStatus = false;
+            if (nImageWidth < 0 || nImageLength < 0)
+                bStatus = false;
             if ( bStatus )
             {
                 if ( nMaxSampleValue == 0 )
author	Caolán McNamara <caolanm@redhat.com>	2015-07-21 10:10:50 +0100
committer	Adolfo Jayme Barrientos <fitojb@ubuntu.com>	2015-07-21 10:12:09 +0000
commit	64bb6065a3ae74550a513426308f00b05365086b (patch)
tree	01f24a9734d1e46c1d71e3c8d0a074ceac4b78da /filter
parent	20f8d8318f28af46f29386f2dca54b5d7b127caa (diff)