summaryrefslogtreecommitdiff
path: root/filter
diff options
context:
space:
mode:
authorCaolán McNamara <caolanm@redhat.com>2018-03-19 14:22:45 +0000
committerCaolán McNamara <caolanm@redhat.com>2018-03-19 22:07:29 +0100
commitc81765629bf0f7b3a0a8bb1dbed599a7f49ee58c (patch)
tree37969848c8ce2d9504ea97fa6345fdba06ef86aa /filter
parent0a6448802db53fcae5de5804b9e6b725528849bb (diff)
coverity#1266496 Untrusted loop bound
Change-Id: I89aaf8aab9e4f5230feb4c398fa4ebe9dc5e0add Reviewed-on: https://gerrit.libreoffice.org/51563 Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Caolán McNamara <caolanm@redhat.com> Tested-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'filter')
-rw-r--r--filter/source/graphicfilter/itiff/itiff.cxx9
1 files changed, 9 insertions, 0 deletions
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx
index 1e93f39bf88e..e68f87e8f9c7 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -1272,6 +1272,15 @@ bool TIFFReader::ReadTIFF(SvStream & rTIFF, Graphic & rGraphic )
pTIFF->ReadUInt16( nNumTags );
+ const size_t nMinRecordSize = 12;
+ const size_t nMaxRecords = pTIFF->remainingSize() / nMinRecordSize;
+ if (nNumTags > nMaxRecords)
+ {
+ SAL_WARN("filter.tiff", "Parsing error: " << nMaxRecords <<
+ " max possible entries, but " << nNumTags << " claimed, truncating");
+ nNumTags = nMaxRecords;
+ }
+
// loop through tags:
for( i = 0; i < nNumTags; i++ )
{
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-01 11:16:11 +0000