summaryrefslogtreecommitdiff
path: root/filter
diff options
context:
space:
mode:
authorCaolán McNamara <caolanm@redhat.com>2015-07-17 09:23:17 +0100
committerAndras Timar <andras.timar@collabora.com>2015-08-06 12:56:28 +0200
commitace6fcc860d9f8d6c620bad62727acb6fdd9ce22 (patch)
tree746c2788b47d96fec52278d0587ad01f6810dc08 /filter
parent5766f3c8f6987dd25cc5bc60cd6de8cb25314035 (diff)
detect loop in tif format
Change-Id: I27645566cd9fc0ac8cf753f0217ae6cf0fa9929e (cherry picked from commit 290465b0effecb6d620adc20ca279f8057eeab9a) Reviewed-on: https://gerrit.libreoffice.org/17149 Reviewed-by: David Tardon <dtardon@redhat.com> Tested-by: David Tardon <dtardon@redhat.com>
Diffstat (limited to 'filter')
-rw-r--r--filter/qa/cppunit/data/tiff/fail/loop.tifbin0 -> 17 bytes
-rw-r--r--filter/source/graphicfilter/itiff/itiff.cxx12
2 files changed, 11 insertions, 1 deletions
diff --git a/filter/qa/cppunit/data/tiff/fail/loop.tif b/filter/qa/cppunit/data/tiff/fail/loop.tif
new file mode 100644
index 000000000000..6d8cee732e2c
--- /dev/null
+++ b/filter/qa/cppunit/data/tiff/fail/loop.tif
Binary files differ
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx
index 84bff7336f52..9ae2a0639eab 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -1210,9 +1210,19 @@ bool TIFFReader::ReadTIFF(SvStream & rTIFF, Graphic & rGraphic )
}
while( nOffset );
+ std::vector<sal_uInt32> aSeenIfds;
+
for ( sal_uInt32 nNextIfd = nFirstIfd; nNextIfd && bStatus; )
{
- pTIFF->Seek( nOrigPos + nNextIfd );
+ if (std::find(aSeenIfds.begin(), aSeenIfds.end(), nNextIfd) != aSeenIfds.end())
+ {
+ SAL_WARN("filter.tiff", "Parsing error: " << nNextIfd <<
+ " already processed, format loop");
+ bStatus = false;
+ break;
+ }
+ pTIFF->Seek(nOrigPos + nNextIfd);
+ aSeenIfds.push_back(nNextIfd);
{
bByteSwap = false;
generated by cgit v1.2.3 (git 2.39.1) at 2024-04-28 16:05:21 +0000