check np bounds

Change-Id: Id16ae9325f3c67792941b9c88d83435aa98282ca (cherry picked from commit be4e1141be7cd54cf5362d3de534050db5505437) Reviewed-on: https://gerrit.libreoffice.org/17199 Reviewed-by: David Tardon <dtardon@redhat.com> Tested-by: David Tardon <dtardon@redhat.com>
author: Caolán McNamara <caolanm@redhat.com> 2015-07-19 21:25:46 +0100
committer: David Tardon <dtardon@redhat.com> 2015-07-20 06:18:13 +0000
commit: fc3ba0cdd424e1ae2852ad9809b49a5e6e55b2f5 (patch)
tree: f0689b970f601a7360bf998d73bf3cdff59960ee /filter
parent: e9be8b2425eb8e013e43ef7e730a05df5e4efae9 (diff)
2 files changed, 2 insertions, 0 deletions
diff --git a/filter/qa/cppunit/data/tiff/fail/crash-2.tiff b/filter/qa/cppunit/data/tiff/fail/crash-2.tiff
new file mode 100644
index 000000000000..aadd99f33d2d
--- /dev/null
+++ b/filter/qa/cppunit/data/tiff/fail/crash-2.tiff
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx
index 834c437e7cc0..4599af97dc0c 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -608,6 +608,8 @@ bool TIFFReader::ReadMap()
                     pTIFF->Seek( pStripOffsets[ nStrip ] );
                     aCCIDecom.StartDecompression( *pTIFF );
                 }
+                if (np >= SAL_N_ELEMENTS(pMap))
+                    return false;
                 if ( !aCCIDecom.DecompressScanline( pMap[ np ], nImageWidth * nBitsPerSample * nSamplesPerPixel / nPlanes, np + 1 == nPlanes ) )
                     return false;
                 if ( pTIFF->GetError() )
author	Caolán McNamara <caolanm@redhat.com>	2015-07-19 21:25:46 +0100
committer	David Tardon <dtardon@redhat.com>	2015-07-20 06:18:13 +0000
commit	fc3ba0cdd424e1ae2852ad9809b49a5e6e55b2f5 (patch)
tree	f0689b970f601a7360bf998d73bf3cdff59960ee /filter
parent	e9be8b2425eb8e013e43ef7e730a05df5e4efae9 (diff)