diff options
author | Caolán McNamara <caolanm@redhat.com> | 2014-04-02 09:02:19 +0100 |
---|---|---|
committer | Caolán McNamara <caolanm@redhat.com> | 2014-04-02 09:04:48 +0100 |
commit | 4e2c5ffa89b77e4d6b0a1dc964d330d2ae3636d6 (patch) | |
tree | 478d8772e6b51e71e99a872fe68dc10c22f4758e /filter | |
parent | a37f474a2272c505778774cd1d92897d8a744863 (diff) |
detect add to table beyond MAX_TABLE_SIZE
Change-Id: I9b1357e583620c59898cd7a649a5b39a6d7e3739
(cherry picked from commit e326b5e06d74685b1853d61c465e5be0b5bf1595)
Diffstat (limited to 'filter')
-rw-r--r-- | filter/source/graphicfilter/itiff/lzwdecom.cxx | 42 |
1 files changed, 33 insertions, 9 deletions
diff --git a/filter/source/graphicfilter/itiff/lzwdecom.cxx b/filter/source/graphicfilter/itiff/lzwdecom.cxx index 2fdb054cd1d4..4ac9d4cf0dcb 100644 --- a/filter/source/graphicfilter/itiff/lzwdecom.cxx +++ b/filter/source/graphicfilter/itiff/lzwdecom.cxx @@ -20,14 +20,16 @@ #include "lzwdecom.hxx" +#define MAX_TABLE_SIZE 4096 + LZWDecompressor::LZWDecompressor() : pOutBufData(NULL) { sal_uInt16 i; - pTable=new LZWTableEntry[4096]; - pOutBuf=new sal_uInt8[4096]; - for (i=0; i<4096; i++) + pTable=new LZWTableEntry[MAX_TABLE_SIZE]; + pOutBuf=new sal_uInt8[MAX_TABLE_SIZE]; + for (i=0; i<MAX_TABLE_SIZE; i++) { pTable[i].nPrevCode=0; pTable[i].nDataCount=1; @@ -144,6 +146,15 @@ sal_uInt16 LZWDecompressor::GetNextCode() void LZWDecompressor::AddToTable(sal_uInt16 nPrevCode, sal_uInt16 nCodeFirstData) { + if (nTableSize >= MAX_TABLE_SIZE) + { + //It might be possible to force emit a 256 to flush the buffer and try + //to continue later? + SAL_WARN("filter.tiff", "Too much data at scanline"); + bEOIFound = sal_True; + return; + } + while (pTable[nCodeFirstData].nDataCount>1) nCodeFirstData=pTable[nCodeFirstData].nPrevCode; @@ -160,20 +171,33 @@ void LZWDecompressor::DecompressSome() sal_uInt16 i,nCode; nCode=GetNextCode(); - if (nCode==256) { + if (nCode==256) + { nTableSize=258; nCode=GetNextCode(); - if (nCode==257) { bEOIFound=sal_True; return; } + if (nCode==257) + { + bEOIFound=sal_True; + } + } + else if (nCode<nTableSize) + AddToTable(nOldCode,nCode); + else if (nCode==nTableSize) + AddToTable(nOldCode,nOldCode); + else + { + bEOIFound=sal_True; } - else if (nCode<nTableSize) AddToTable(nOldCode,nCode); - else if (nCode==nTableSize) AddToTable(nOldCode,nOldCode); - else { bEOIFound=sal_True; return; } + + if (bEOIFound) + return; nOldCode=nCode; nOutBufDataLen=pTable[nCode].nDataCount; pOutBufData=pOutBuf+nOutBufDataLen; - for (i=0; i<nOutBufDataLen; i++) { + for (i=0; i<nOutBufDataLen; i++) + { *(--pOutBufData)=pTable[nCode].nData; nCode=pTable[nCode].nPrevCode; } |