From f1bf1ff3a15af438bdf8c4589c1da0902568ff46 Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Wed, 2 Apr 2014 09:02:19 +0100
Subject: detect add to table beyond MAX_TABLE_SIZE

Change-Id: I9b1357e583620c59898cd7a649a5b39a6d7e3739
(cherry picked from commit e326b5e06d74685b1853d61c465e5be0b5bf1595)
(cherry picked from commit 4e2c5ffa89b77e4d6b0a1dc964d330d2ae3636d6)
---
 filter/source/graphicfilter/itiff/lzwdecom.cxx | 42 ++++++++++++++++++++------
 1 file changed, 33 insertions(+), 9 deletions(-)

(limited to 'filter')

diff --git a/filter/source/graphicfilter/itiff/lzwdecom.cxx b/filter/source/graphicfilter/itiff/lzwdecom.cxx
index 2fdb054cd1d4..4ac9d4cf0dcb 100644
--- a/filter/source/graphicfilter/itiff/lzwdecom.cxx
+++ b/filter/source/graphicfilter/itiff/lzwdecom.cxx
@@ -20,14 +20,16 @@
 
 #include "lzwdecom.hxx"
 
+#define MAX_TABLE_SIZE 4096
+
 LZWDecompressor::LZWDecompressor()
     : pOutBufData(NULL)
 {
     sal_uInt16 i;
 
-    pTable=new LZWTableEntry[4096];
-    pOutBuf=new sal_uInt8[4096];
-    for (i=0; i<4096; i++)
+    pTable=new LZWTableEntry[MAX_TABLE_SIZE];
+    pOutBuf=new sal_uInt8[MAX_TABLE_SIZE];
+    for (i=0; i<MAX_TABLE_SIZE; i++)
     {
         pTable[i].nPrevCode=0;
         pTable[i].nDataCount=1;
@@ -144,6 +146,15 @@ sal_uInt16 LZWDecompressor::GetNextCode()
 
 void LZWDecompressor::AddToTable(sal_uInt16 nPrevCode, sal_uInt16 nCodeFirstData)
 {
+    if (nTableSize >= MAX_TABLE_SIZE)
+    {
+        //It might be possible to force emit a 256 to flush the buffer and try
+        //to continue later?
+        SAL_WARN("filter.tiff", "Too much data at scanline");
+        bEOIFound = sal_True;
+        return;
+    }
+
     while (pTable[nCodeFirstData].nDataCount>1)
         nCodeFirstData=pTable[nCodeFirstData].nPrevCode;
 
@@ -160,20 +171,33 @@ void LZWDecompressor::DecompressSome()
     sal_uInt16 i,nCode;
 
     nCode=GetNextCode();
-    if (nCode==256) {
+    if (nCode==256)
+    {
         nTableSize=258;
         nCode=GetNextCode();
-        if (nCode==257) { bEOIFound=sal_True; return; }
+        if (nCode==257)
+        {
+            bEOIFound=sal_True;
+        }
+    }
+    else if (nCode<nTableSize)
+        AddToTable(nOldCode,nCode);
+    else if (nCode==nTableSize)
+        AddToTable(nOldCode,nOldCode);
+    else
+    {
+        bEOIFound=sal_True;
     }
-    else if (nCode<nTableSize) AddToTable(nOldCode,nCode);
-    else if (nCode==nTableSize) AddToTable(nOldCode,nOldCode);
-    else { bEOIFound=sal_True; return; }
+
+    if (bEOIFound)
+        return;
 
     nOldCode=nCode;
 
     nOutBufDataLen=pTable[nCode].nDataCount;
     pOutBufData=pOutBuf+nOutBufDataLen;
-    for (i=0; i<nOutBufDataLen; i++) {
+    for (i=0; i<nOutBufDataLen; i++)
+    {
         *(--pOutBufData)=pTable[nCode].nData;
         nCode=pTable[nCode].nPrevCode;
     }
-- 
cgit v1.2.3