filter/qa/cppunit/data/tiff/fail/hang-1.tiff |binary
filter/source/graphicfilter/itiff/itiff.cxx | 7 +++++--
2 files changed, 5 insertions(+), 2 deletions(-)
New commits:
commit feedb957310fc3282ca47d5ffc1482dbb944a36e
Author: Caolán McNamara <caol...@redhat.com>
Date: Fri Jul 17 09:45:26 2015 +0100
test that nNumStripOffsets value is within bounds of file
Change-Id: I1483ea3671420be53496888892374641e10b344d
diff --git a/filter/qa/cppunit/data/tiff/fail/hang-1.tiff
b/filter/qa/cppunit/data/tiff/fail/hang-1.tiff
new file mode 100644
index 0000000..9cd2aa2
Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/hang-1.tiff differ
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx
b/filter/source/graphicfilter/itiff/itiff.cxx
index 9ae2a06..e132fab 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -373,14 +373,17 @@ void TIFFReader::ReadTagData( sal_uInt16 nTagType,
sal_uInt32 nDataLen)
nNumStripOffsets = 0;
nOldNumSO = nNumStripOffsets;
nDataLen += nOldNumSO;
- if ( ( nDataLen > nOldNumSO ) && ( nDataLen < SAL_MAX_UINT32 /
sizeof( sal_uInt32 ) ) )
+ size_t nMaxAllocAllowed = SAL_MAX_UINT32 / sizeof(sal_uInt32);
+ size_t nMaxRecordsAvailable = pTIFF->remainingSize() /
DataTypeSize();
+ if (nDataLen > nOldNumSO && nDataLen < nMaxAllocAllowed &&
+ (nDataLen - nOldNumSO) <= nMaxRecordsAvailable)
{
nNumStripOffsets = nDataLen;
try
{
pStripOffsets = new sal_uLong[ nNumStripOffsets ];
}
- catch (const std::bad_alloc &)
+ catch (const std::bad_alloc &)
{
pStripOffsets = NULL;
nNumStripOffsets = 0;
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
