diff options
author | Caolán McNamara <caolanm@redhat.com> | 2015-07-17 09:45:26 +0100 |
---|---|---|
committer | Andras Timar <andras.timar@collabora.com> | 2015-08-06 12:56:30 +0200 |
commit | e5d8a9d123052eaf5556a52948f855fa478bd6db (patch) | |
tree | 690bfa03fb261c71190804c6bd9eddc876e85120 /filter | |
parent | 3bc3656c0e305ac211ed84ed8e310c0aaa899563 (diff) |
test that nNumStripOffsets value is within bounds of file
Change-Id: I1483ea3671420be53496888892374641e10b344d
(cherry picked from commit feedb957310fc3282ca47d5ffc1482dbb944a36e)
Reviewed-on: https://gerrit.libreoffice.org/17151
Reviewed-by: David Tardon <dtardon@redhat.com>
Tested-by: David Tardon <dtardon@redhat.com>
Diffstat (limited to 'filter')
-rw-r--r-- | filter/qa/cppunit/data/tiff/fail/hang-1.tiff | bin | 0 -> 205 bytes | |||
-rw-r--r-- | filter/source/graphicfilter/itiff/itiff.cxx | 7 |
2 files changed, 5 insertions, 2 deletions
diff --git a/filter/qa/cppunit/data/tiff/fail/hang-1.tiff b/filter/qa/cppunit/data/tiff/fail/hang-1.tiff Binary files differnew file mode 100644 index 000000000000..9cd2aa2e0c5f --- /dev/null +++ b/filter/qa/cppunit/data/tiff/fail/hang-1.tiff diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx index 80c859ccc2ba..aed15f629cda 100644 --- a/filter/source/graphicfilter/itiff/itiff.cxx +++ b/filter/source/graphicfilter/itiff/itiff.cxx @@ -373,14 +373,17 @@ void TIFFReader::ReadTagData( sal_uInt16 nTagType, sal_uInt32 nDataLen) nNumStripOffsets = 0; nOldNumSO = nNumStripOffsets; nDataLen += nOldNumSO; - if ( ( nDataLen > nOldNumSO ) && ( nDataLen < SAL_MAX_UINT32 / sizeof( sal_uInt32 ) ) ) + size_t nMaxAllocAllowed = SAL_MAX_UINT32 / sizeof(sal_uInt32); + size_t nMaxRecordsAvailable = pTIFF->remainingSize() / DataTypeSize(); + if (nDataLen > nOldNumSO && nDataLen < nMaxAllocAllowed && + (nDataLen - nOldNumSO) <= nMaxRecordsAvailable) { nNumStripOffsets = nDataLen; try { pStripOffsets = new sal_uLong[ nNumStripOffsets ]; } - catch (const std::bad_alloc &) + catch (const std::bad_alloc &) { pStripOffsets = NULL; nNumStripOffsets = 0; |