check np bounds yet again

Change-Id: Id3f6fdc0ebed9711acec5d71f404e7a6072b765c (cherry picked from commit bca4d6f896fb12ceff37476c43ea8892898dd385) Reviewed-on: https://gerrit.libreoffice.org/17207 Reviewed-by: Michael Meeks <michael.meeks@collabora.com> Tested-by: Michael Meeks <michael.meeks@collabora.com>
author: Caolán McNamara <caolanm@redhat.com> 2015-07-20 08:50:27 +0100
committer: Andras Timar <andras.timar@collabora.com> 2015-08-06 12:56:37 +0200
commit: 6e014f66d1d47d4be4bb5022393fb56953d4a956 (patch)
tree: 58a19e94c408234a391ef148c446f476aa5ba6a9 /filter
parent: c8738bb65b5acfd892e5172102bcf07938404d9b (diff)
2 files changed, 2 insertions, 0 deletions
diff --git a/filter/qa/cppunit/data/tiff/fail/crash-5.tiff b/filter/qa/cppunit/data/tiff/fail/crash-5.tiff
new file mode 100644
index 000000000000..4849edff238b
--- /dev/null
+++ b/filter/qa/cppunit/data/tiff/fail/crash-5.tiff
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx
index b18db6b9be3b..7a5d48793acd 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -669,6 +669,8 @@ bool TIFFReader::ReadMap()
                     pTIFF->Seek(pStripOffsets[nStrip]);
                 }
                 nRowBytesLeft = nBytesPerRow;
+                if (np >= SAL_N_ELEMENTS(pMap))
+                    return false;
                 pdst=pMap[ np ];
                 do
                 {
author	Caolán McNamara <caolanm@redhat.com>	2015-07-20 08:50:27 +0100
committer	Andras Timar <andras.timar@collabora.com>	2015-08-06 12:56:37 +0200
commit	6e014f66d1d47d4be4bb5022393fb56953d4a956 (patch)
tree	58a19e94c408234a391ef148c446f476aa5ba6a9 /filter
parent	c8738bb65b5acfd892e5172102bcf07938404d9b (diff)