From 64bb6065a3ae74550a513426308f00b05365086b Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Tue, 21 Jul 2015 10:10:50 +0100
Subject: reject invalid tiff dimensions

Change-Id: I64e77f12cb016a7f4a9d21c732aaeaae7959da76
(cherry picked from commit 34d062147c16090fa42c27ac7960e3f5e3b65d2b)
Reviewed-on: https://gerrit.libreoffice.org/17257
Reviewed-by: Adolfo Jayme Barrientos <fitojb@ubuntu.com>
Tested-by: Adolfo Jayme Barrientos <fitojb@ubuntu.com>
---
 filter/qa/cppunit/data/tiff/fail/crash-7.tiff | Bin 0 -> 179 bytes
 filter/source/graphicfilter/itiff/itiff.cxx   |   2 ++
 2 files changed, 2 insertions(+)
 create mode 100644 filter/qa/cppunit/data/tiff/fail/crash-7.tiff

(limited to 'filter')

diff --git a/filter/qa/cppunit/data/tiff/fail/crash-7.tiff b/filter/qa/cppunit/data/tiff/fail/crash-7.tiff
new file mode 100644
index 000000000000..0056f9dcb8d5
Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/crash-7.tiff differ
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx
index 180b1c379003..c730e81b38a6 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -1330,6 +1330,8 @@ bool TIFFReader::ReadTIFF(SvStream & rTIFF, Graphic & rGraphic )
             }
             if ( !nBitsPerSample || ( nBitsPerSample > 32 ) )
                 bStatus = false;
+            if (nImageWidth < 0 || nImageLength < 0)
+                bStatus = false;
             if ( bStatus )
             {
                 if ( nMaxSampleValue == 0 )
-- 
cgit v1.2.3