bail if offsets are past eof

Change-Id: I4a8e78231befff498894ec92a1f38af206e13129 (cherry picked from commit 97a0e7558b24792827d77217fb2d8b1106056963) Reviewed-on: https://gerrit.libreoffice.org/17232 Reviewed-by: David Tardon <dtardon@redhat.com> Tested-by: David Tardon <dtardon@redhat.com>
author: Caolán McNamara <caolanm@redhat.com> 2015-07-20 12:28:03 +0100
committer: David Tardon <dtardon@redhat.com> 2015-07-20 19:33:25 +0000
commit: 6c40a461a2092e0fbb96b77ebaec7b028a02fd1e (patch)
tree: 439c17f8774b8bf0713c2552531fb75647c03b5b
parent: f8b78fb646dbea25fe1aff05e71b7c4cb2410552 (diff)
2 files changed, 19 insertions, 10 deletions
diff --git a/filter/qa/cppunit/data/tiff/fail/hang-9.tiff b/filter/qa/cppunit/data/tiff/fail/hang-9.tiff
new file mode 100644
index 000000000000..ef314ab7acb2
--- /dev/null
+++ b/filter/qa/cppunit/data/tiff/fail/hang-9.tiff
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx
index 769c57e02a9a..180b1c379003 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -57,6 +57,7 @@ private:
     BitmapWriteAccess*      pMaskAcc;
 
     sal_uLong               nOrigPos;                   // start position in pTIFF
+    sal_uLong               nEndOfFile;                 // end of file position in pTIFF
 
 
     sal_uInt16              nDataType;
@@ -131,6 +132,7 @@ public:
         , pAlphaMask(NULL)
         , pMaskAcc(NULL)
         , nOrigPos(0)
+        , nEndOfFile(0)
         , nDataType(0)
         , bByteSwap(false)
         , nNewSubFile(0)
@@ -540,7 +542,7 @@ bool TIFFReader::ReadMap()
 {
     if ( nCompression == 1 || nCompression == 32771 )
     {
-        sal_uLong np, nStrip, nStripBytesPerRow;
+        sal_uLong nStrip, nStripBytesPerRow;
 
         if ( nCompression == 1 )
             nStripBytesPerRow = nBytesPerRow;
@@ -548,7 +550,7 @@ bool TIFFReader::ReadMap()
             nStripBytesPerRow = ( nBytesPerRow + 1 ) & 0xfffffffe;
         for (sal_Int32 ny = 0; ny < nImageLength; ++ny)
         {
-            for ( np = 0; np < nPlanes; np++ )
+            for (sal_uLong np = 0; np < nPlanes; ++np)
             {
                 nStrip = ny / GetRowsPerStrip() + np * nStripsPerPlane;
                 if ( nStrip >= nNumStripOffsets )
@@ -557,7 +559,7 @@ bool TIFFReader::ReadMap()
                 if (np >= SAL_N_ELEMENTS(pMap))
                     return false;
                 pTIFF->Read( pMap[ np ], nBytesPerRow );
-                if ( pTIFF->GetError() )
+                if (!pTIFF->good())
                     return false;
             }
             if ( !ConvertScanline( ny ) )
@@ -566,7 +568,7 @@ bool TIFFReader::ReadMap()
     }
     else if ( nCompression == 2 || nCompression == 3 || nCompression == 4 )
     {
-        sal_uLong np, nStrip, nOptions;
+        sal_uLong nStrip, nOptions;
         if ( nCompression == 2 )
         {
             nOptions = CCI_OPTION_BYTEALIGNROW;
@@ -595,6 +597,9 @@ bool TIFFReader::ReadMap()
         nStrip = 0;
         if ( nStrip >= nNumStripOffsets )
             return false;
+        sal_uLong nOffset = pStripOffsets[nStrip];
+        if (nOffset > nEndOfFile)
+            return false;
         pTIFF->Seek(pStripOffsets[nStrip]);
 
         CCIDecompressor aCCIDecom( nOptions, nImageWidth );
@@ -603,14 +608,17 @@ bool TIFFReader::ReadMap()
 
         for (sal_Int32 ny = 0; ny < nImageLength; ++ny)
         {
-            for ( np = 0; np < nPlanes; np++ )
+            for (sal_uLong np = 0; np < nPlanes; np++ )
             {
                 if ( ny / GetRowsPerStrip() + np * nStripsPerPlane > nStrip )
                 {
                     nStrip=ny/GetRowsPerStrip()+np*nStripsPerPlane;
                     if ( nStrip >= nNumStripOffsets )
                         return false;
-                    pTIFF->Seek( pStripOffsets[ nStrip ] );
+                    nOffset = pStripOffsets[nStrip];
+                    if (nOffset > nEndOfFile)
+                        return false;
+                    pTIFF->Seek(nOffset);
                     aCCIDecom.StartDecompression( *pTIFF );
                 }
                 if (np >= SAL_N_ELEMENTS(pMap))
@@ -627,7 +635,7 @@ bool TIFFReader::ReadMap()
     else if ( nCompression == 5 )
     {
         LZWDecompressor aLZWDecom;
-        sal_uLong np, nStrip;
+        sal_uLong nStrip;
         nStrip=0;
         if ( nStrip >= nNumStripOffsets )
             return false;
@@ -635,7 +643,7 @@ bool TIFFReader::ReadMap()
         aLZWDecom.StartDecompression(*pTIFF);
         for (sal_Int32 ny = 0; ny < nImageLength; ++ny)
         {
-            for ( np = 0; np < nPlanes; np++ )
+            for (sal_uLong np = 0; np < nPlanes; ++np)
             {
                 if ( ny / GetRowsPerStrip() + np * nStripsPerPlane > nStrip )
                 {
@@ -656,7 +664,7 @@ bool TIFFReader::ReadMap()
     }
     else if ( nCompression == 32773 )
     {
-        sal_uLong nStrip,nRecCount,np,i;
+        sal_uLong nStrip,nRecCount,i;
         sal_uInt8 * pdst;
         nStrip = 0;
         if ( nStrip >= nNumStripOffsets )
@@ -664,7 +672,7 @@ bool TIFFReader::ReadMap()
         pTIFF->Seek(pStripOffsets[nStrip]);
         for (sal_Int32 ny = 0; ny < nImageLength; ++ny)
         {
-            for ( np = 0; np < nPlanes; np++ )
+            for (sal_uLong np = 0; np < nPlanes; ++np)
             {
                 if ( ny / GetRowsPerStrip() + np * nStripsPerPlane > nStrip )
                 {
@@ -1178,6 +1186,7 @@ bool TIFFReader::ReadTIFF(SvStream & rTIFF, Graphic & rGraphic )
 
     pTIFF = &rTIFF;
     nMaxPos = nOrigPos = pTIFF->Tell();
+    nEndOfFile = nOrigPos + pTIFF->remainingSize();
     // number format of pTIFF at the beginning
     SvStreamEndian nOrigNumberFormat = pTIFF->GetEndian();
author	Caolán McNamara <caolanm@redhat.com>	2015-07-20 12:28:03 +0100
committer	David Tardon <dtardon@redhat.com>	2015-07-20 19:33:25 +0000
commit	6c40a461a2092e0fbb96b77ebaec7b028a02fd1e (patch)
tree	439c17f8774b8bf0713c2552531fb75647c03b5b
parent	f8b78fb646dbea25fe1aff05e71b7c4cb2410552 (diff)