test that nNumStripOffsets value is within bounds of file

Change-Id: I1483ea3671420be53496888892374641e10b344d
(cherry picked from commit feedb957310fc3282ca47d5ffc1482dbb944a36e)
Reviewed-on: https://gerrit.libreoffice.org/17151
Reviewed-by: David Tardon <dtardon@redhat.com>
Tested-by: David Tardon <dtardon@redhat.com>

2 files changed, 5 insertions, 2 deletions

diff --git a/filter/qa/cppunit/data/tiff/fail/hang-1.tiff b/filter/qa/cppunit/data/tiff/fail/hang-1.tiff
new file mode 100644
index 000000000000..9cd2aa2e0c5f
--- /dev/null
+++ b/filter/qa/cppunit/data/tiff/fail/hang-1.tiff
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx
index 80c859ccc2ba..aed15f629cda 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -373,14 +373,17 @@ void TIFFReader::ReadTagData( sal_uInt16 nTagType, sal_uInt32 nDataLen)
                 nNumStripOffsets = 0;
             nOldNumSO = nNumStripOffsets;
             nDataLen += nOldNumSO;
-            if ( ( nDataLen > nOldNumSO ) && ( nDataLen < SAL_MAX_UINT32 / sizeof( sal_uInt32 ) ) )
+            size_t nMaxAllocAllowed = SAL_MAX_UINT32 / sizeof(sal_uInt32);
+            size_t nMaxRecordsAvailable = pTIFF->remainingSize() / DataTypeSize();
+            if (nDataLen > nOldNumSO && nDataLen < nMaxAllocAllowed &&
+                (nDataLen - nOldNumSO) <= nMaxRecordsAvailable)
             {
                 nNumStripOffsets = nDataLen;
                 try
                 {
                     pStripOffsets = new sal_uLong[ nNumStripOffsets ];
                 }
-                    catch (const std::bad_alloc &)
+                catch (const std::bad_alloc &)
                 {
                     pStripOffsets = NULL;
                     nNumStripOffsets = 0;