check np bounds yet again

Change-Id: Id3f6fdc0ebed9711acec5d71f404e7a6072b765c (cherry picked from commit bca4d6f896fb12ceff37476c43ea8892898dd385) Reviewed-on: https://gerrit.libreoffice.org/17208 Reviewed-by: Michael Meeks <michael.meeks@collabora.com> Tested-by: Michael Meeks <michael.meeks@collabora.com>
author: Caolán McNamara <caolanm@redhat.com> 2015-07-20 08:50:27 +0100
committer: Michael Meeks <michael.meeks@collabora.com> 2015-07-20 09:13:20 +0000
commit: 1b50cbe9aac1f57ac325799931abcd60e88d51b6 (patch)
tree: 7fa6cbfafdd2f2b81fc966d87c2576458add2ac4 /filter
parent: f379b1ace95e25798d16c4980fb6a136fcf79715 (diff)
2 files changed, 2 insertions, 0 deletions
diff --git a/filter/qa/cppunit/data/tiff/fail/crash-5.tiff b/filter/qa/cppunit/data/tiff/fail/crash-5.tiff
new file mode 100644
index 000000000000..4849edff238b
--- /dev/null
+++ b/filter/qa/cppunit/data/tiff/fail/crash-5.tiff
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx
index 20d37687e4b0..69067c5b44e3 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -682,6 +682,8 @@ bool TIFFReader::ReadMap( sal_uLong nMinPercent, sal_uLong nMaxPercent )
                     pTIFF->Seek(pStripOffsets[nStrip]);
                 }
                 nRowBytesLeft = nBytesPerRow;
+                if (np >= SAL_N_ELEMENTS(pMap))
+                    return false;
                 pdst=pMap[ np ];
                 do
                 {
author	Caolán McNamara <caolanm@redhat.com>	2015-07-20 08:50:27 +0100
committer	Michael Meeks <michael.meeks@collabora.com>	2015-07-20 09:13:20 +0000
commit	1b50cbe9aac1f57ac325799931abcd60e88d51b6 (patch)
tree	7fa6cbfafdd2f2b81fc966d87c2576458add2ac4 /filter
parent	f379b1ace95e25798d16c4980fb6a136fcf79715 (diff)