From aed68b0c79b4edac79d18a7c273ab1bf21665614 Mon Sep 17 00:00:00 2001 From: Caolán McNamara Date: Mon, 24 Aug 2015 15:31:41 +0100 Subject: detect and reject loop in tif Change-Id: I77d315fa432a3eb1a65539489a2ba6da8508b283 (cherry picked from commit 6b82437dca30eba0f0c9dde6fdc84cb8f7740f8f) Reviewed-on: https://gerrit.libreoffice.org/17957 Reviewed-by: David Tardon Tested-by: David Tardon --- filter/qa/cppunit/data/tiff/fail/hang-10.tiff | Bin 0 -> 5254 bytes filter/source/graphicfilter/itiff/lzwdecom.cxx | 12 ++++++++++++ 2 files changed, 12 insertions(+) create mode 100644 filter/qa/cppunit/data/tiff/fail/hang-10.tiff diff --git a/filter/qa/cppunit/data/tiff/fail/hang-10.tiff b/filter/qa/cppunit/data/tiff/fail/hang-10.tiff new file mode 100644 index 000000000000..e5e9ebc3d028 Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/hang-10.tiff differ diff --git a/filter/source/graphicfilter/itiff/lzwdecom.cxx b/filter/source/graphicfilter/itiff/lzwdecom.cxx index 82f6accd073f..5fb7514d62db 100644 --- a/filter/source/graphicfilter/itiff/lzwdecom.cxx +++ b/filter/source/graphicfilter/itiff/lzwdecom.cxx @@ -19,6 +19,8 @@ #include "lzwdecom.hxx" +#include +#include #define MAX_TABLE_SIZE 4096 @@ -161,8 +163,18 @@ void LZWDecompressor::AddToTable(sal_uInt16 nPrevCode, sal_uInt16 nCodeFirstData return; } + std::vector aSeenIndexes; while (pTable[nCodeFirstData].nDataCount>1) + { + if (std::find(aSeenIndexes.begin(), aSeenIndexes.end(), nCodeFirstData) != aSeenIndexes.end()) + { + SAL_WARN("filter.tiff", "Loop in chain"); + bEOIFound = true; + return; + } + aSeenIndexes.push_back(nCodeFirstData); nCodeFirstData=pTable[nCodeFirstData].nPrevCode; + } pTable[nTableSize].nPrevCode=nPrevCode; pTable[nTableSize].nDataCount=pTable[nPrevCode].nDataCount+1; -- cgit v1.2.3