check np bounds yet again

Change-Id: Id3f6fdc0ebed9711acec5d71f404e7a6072b765c (cherry picked from commit bca4d6f896fb12ceff37476c43ea8892898dd385) Reviewed-on: https://gerrit.libreoffice.org/17207 Reviewed-by: Michael Meeks <michael.meeks@collabora.com> Tested-by: Michael Meeks <michael.meeks@collabora.com>
author: Caolán McNamara <caolanm@redhat.com> 2015-07-20 08:50:27 +0100
committer: Michael Meeks <michael.meeks@collabora.com> 2015-07-20 09:13:02 +0000
commit: 429f6b5183fa39751d949431e16bd6f4163bf78c (patch)
tree: 45038d5fa4a272ce603f55d5557887cd54569ebf
parent: 1aac166075ef5a3183474449ae7d0fa3f7cf82b6 (diff)
2 files changed, 2 insertions, 0 deletions
diff --git a/filter/qa/cppunit/data/tiff/fail/crash-5.tiff b/filter/qa/cppunit/data/tiff/fail/crash-5.tiff
new file mode 100644
index 000000000000..4849edff238b
--- /dev/null
+++ b/filter/qa/cppunit/data/tiff/fail/crash-5.tiff
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx
index b18db6b9be3b..7a5d48793acd 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -669,6 +669,8 @@ bool TIFFReader::ReadMap()
                     pTIFF->Seek(pStripOffsets[nStrip]);
                 }
                 nRowBytesLeft = nBytesPerRow;
+                if (np >= SAL_N_ELEMENTS(pMap))
+                    return false;
                 pdst=pMap[ np ];
                 do
                 {
author	Caolán McNamara <caolanm@redhat.com>	2015-07-20 08:50:27 +0100
committer	Michael Meeks <michael.meeks@collabora.com>	2015-07-20 09:13:02 +0000
commit	429f6b5183fa39751d949431e16bd6f4163bf78c (patch)
tree	45038d5fa4a272ce603f55d5557887cd54569ebf
parent	1aac166075ef5a3183474449ae7d0fa3f7cf82b6 (diff)