reject invalid tiff dimensions

Change-Id: I64e77f12cb016a7f4a9d21c732aaeaae7959da76 (cherry picked from commit 34d062147c16090fa42c27ac7960e3f5e3b65d2b) Reviewed-on: https://gerrit.libreoffice.org/17257 Reviewed-by: Adolfo Jayme Barrientos <fitojb@ubuntu.com> Tested-by: Adolfo Jayme Barrientos <fitojb@ubuntu.com>
author: Caolán McNamara <caolanm@redhat.com> 2015-07-21 10:10:50 +0100
committer: Andras Timar <andras.timar@collabora.com> 2015-08-06 12:56:43 +0200
commit: 41c139b77841030492dd250c8023f04b79e55450 (patch)
tree: 0480e1acab3cdd7b0786e4201dd033d1f89a7f82 /filter
parent: 2e6fe8c1f831b080cd923212d0ef1adedc8d1ceb (diff)
2 files changed, 2 insertions, 0 deletions
diff --git a/filter/qa/cppunit/data/tiff/fail/crash-7.tiff b/filter/qa/cppunit/data/tiff/fail/crash-7.tiff
new file mode 100644
index 000000000000..0056f9dcb8d5
--- /dev/null
+++ b/filter/qa/cppunit/data/tiff/fail/crash-7.tiff
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx
index 180b1c379003..c730e81b38a6 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -1330,6 +1330,8 @@ bool TIFFReader::ReadTIFF(SvStream & rTIFF, Graphic & rGraphic )
             }
             if ( !nBitsPerSample || ( nBitsPerSample > 32 ) )
                 bStatus = false;
+            if (nImageWidth < 0 || nImageLength < 0)
+                bStatus = false;
             if ( bStatus )
             {
                 if ( nMaxSampleValue == 0 )
author	Caolán McNamara <caolanm@redhat.com>	2015-07-21 10:10:50 +0100
committer	Andras Timar <andras.timar@collabora.com>	2015-08-06 12:56:43 +0200
commit	41c139b77841030492dd250c8023f04b79e55450 (patch)
tree	0480e1acab3cdd7b0786e4201dd033d1f89a7f82 /filter
parent	2e6fe8c1f831b080cd923212d0ef1adedc8d1ceb (diff)