diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2015-07-20 12:28:03 +0100 |
|---|---|---|
| committer | Andras Timar <andras.timar@collabora.com> | 2015-08-03 17:51:37 +0200 |
| commit | e4e3065783a0fad6aff451c17f2a9657b2e02941 (patch) | |
| tree | 243dc4a56b60ff411c3b844b8ae81ee276a36627 /filter/source | |
| parent | 6abed1b9c7f9767d680d063088dc6a23cc122111 (diff) | |
bail if offsets are past eof
(cherry picked from commit 97a0e7558b24792827d77217fb2d8b1106056963)
Change-Id: I4a8e78231befff498894ec92a1f38af206e13129
Reviewed-on: https://gerrit.libreoffice.org/17227
Reviewed-by: David Tardon <dtardon@redhat.com>
Tested-by: David Tardon <dtardon@redhat.com>
Diffstat (limited to 'filter/source')
| -rw-r--r-- | filter/source/graphicfilter/itiff/itiff.cxx | 29 |
1 files changed, 19 insertions, 10 deletions
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx index f8bc19354f9c..c7dc759bb360 100644 --- a/filter/source/graphicfilter/itiff/itiff.cxx +++ b/filter/source/graphicfilter/itiff/itiff.cxx @@ -58,6 +58,7 @@ private: sal_uLong nOrigPos; // start position in pTIFF sal_uInt16 nOrigNumberFormat; // number format of pTIFF at the beginning + sal_uLong nEndOfFile; // end of file position in pTIFF sal_uInt16 nDataType; @@ -135,6 +136,7 @@ public: , pMaskAcc(NULL) , nOrigPos(0) , nOrigNumberFormat(0) + , nEndOfFile(0) , nDataType(0) , bByteSwap(false) , nNewSubFile(0) @@ -550,7 +552,7 @@ bool TIFFReader::ReadMap( sal_uLong nMinPercent, sal_uLong nMaxPercent ) { if ( nCompression == 1 || nCompression == 32771 ) { - sal_uLong np, nStrip, nStripBytesPerRow; + sal_uLong nStrip, nStripBytesPerRow; if ( nCompression == 1 ) nStripBytesPerRow = nBytesPerRow; @@ -558,7 +560,7 @@ bool TIFFReader::ReadMap( sal_uLong nMinPercent, sal_uLong nMaxPercent ) nStripBytesPerRow = ( nBytesPerRow + 1 ) & 0xfffffffe; for (sal_Int32 ny = 0; ny < nImageLength; ++ny) { - for ( np = 0; np < nPlanes; np++ ) + for (sal_uLong np = 0; np < nPlanes; ++np) { nStrip = ny / GetRowsPerStrip() + np * nStripsPerPlane; if ( nStrip >= nNumStripOffsets ) @@ -567,7 +569,7 @@ bool TIFFReader::ReadMap( sal_uLong nMinPercent, sal_uLong nMaxPercent ) if (np >= SAL_N_ELEMENTS(pMap)) return false; pTIFF->Read( pMap[ np ], nBytesPerRow ); - if ( pTIFF->GetError() ) + if (!pTIFF->good()) return false; MayCallback( nMinPercent + ( nMaxPercent - nMinPercent ) * ( np * nImageLength + ny) / ( nImageLength * nPlanes ) ); } @@ -577,7 +579,7 @@ bool TIFFReader::ReadMap( sal_uLong nMinPercent, sal_uLong nMaxPercent ) } else if ( nCompression == 2 || nCompression == 3 || nCompression == 4 ) { - sal_uLong np, nStrip, nOptions; + sal_uLong nStrip, nOptions; if ( nCompression == 2 ) { nOptions = CCI_OPTION_BYTEALIGNROW; @@ -606,6 +608,9 @@ bool TIFFReader::ReadMap( sal_uLong nMinPercent, sal_uLong nMaxPercent ) nStrip = 0; if ( nStrip >= nNumStripOffsets ) return false; + sal_uLong nOffset = pStripOffsets[nStrip]; + if (nOffset > nEndOfFile) + return false; pTIFF->Seek(pStripOffsets[nStrip]); CCIDecompressor aCCIDecom( nOptions, nImageWidth ); @@ -614,14 +619,17 @@ bool TIFFReader::ReadMap( sal_uLong nMinPercent, sal_uLong nMaxPercent ) for (sal_Int32 ny = 0; ny < nImageLength; ++ny) { - for ( np = 0; np < nPlanes; np++ ) + for (sal_uLong np = 0; np < nPlanes; np++ ) { if ( ny / GetRowsPerStrip() + np * nStripsPerPlane > nStrip ) { nStrip=ny/GetRowsPerStrip()+np*nStripsPerPlane; if ( nStrip >= nNumStripOffsets ) return false; - pTIFF->Seek( pStripOffsets[ nStrip ] ); + nOffset = pStripOffsets[nStrip]; + if (nOffset > nEndOfFile) + return false; + pTIFF->Seek(nOffset); aCCIDecom.StartDecompression( *pTIFF ); } if (np >= SAL_N_ELEMENTS(pMap)) @@ -639,7 +647,7 @@ bool TIFFReader::ReadMap( sal_uLong nMinPercent, sal_uLong nMaxPercent ) else if ( nCompression == 5 ) { LZWDecompressor aLZWDecom; - sal_uLong np, nStrip; + sal_uLong nStrip; nStrip=0; if ( nStrip >= nNumStripOffsets ) return false; @@ -647,7 +655,7 @@ bool TIFFReader::ReadMap( sal_uLong nMinPercent, sal_uLong nMaxPercent ) aLZWDecom.StartDecompression(*pTIFF); for (sal_Int32 ny = 0; ny < nImageLength; ++ny) { - for ( np = 0; np < nPlanes; np++ ) + for (sal_uLong np = 0; np < nPlanes; ++np) { if ( ny / GetRowsPerStrip() + np * nStripsPerPlane > nStrip ) { @@ -669,7 +677,7 @@ bool TIFFReader::ReadMap( sal_uLong nMinPercent, sal_uLong nMaxPercent ) } else if ( nCompression == 32773 ) { - sal_uLong nStrip,nRecCount,np,i; + sal_uLong nStrip,nRecCount,i; sal_uInt8 * pdst; nStrip = 0; if ( nStrip >= nNumStripOffsets ) @@ -677,7 +685,7 @@ bool TIFFReader::ReadMap( sal_uLong nMinPercent, sal_uLong nMaxPercent ) pTIFF->Seek(pStripOffsets[nStrip]); for (sal_Int32 ny = 0; ny < nImageLength; ++ny) { - for ( np = 0; np < nPlanes; np++ ) + for (sal_uLong np = 0; np < nPlanes; ++np) { if ( ny / GetRowsPerStrip() + np * nStripsPerPlane > nStrip ) { @@ -1193,6 +1201,7 @@ bool TIFFReader::ReadTIFF(SvStream & rTIFF, Graphic & rGraphic ) pTIFF = &rTIFF; nMaxPos = nOrigPos = pTIFF->Tell(); + nEndOfFile = nOrigPos + pTIFF->remainingSize(); nOrigNumberFormat = pTIFF->GetNumberFormatInt(); MayCallback( 0 ); |