filter/qa/cppunit/data/tiff/fail/hang-5.tiff |binary
filter/source/graphicfilter/itiff/itiff.cxx | 7 +++++--
2 files changed, 5 insertions(+), 2 deletions(-)
New commits:
commit 997e69c66bf6488184f08d59126886baaba94ffe
Author: Caolán McNamara <caol...@redhat.com>
Date: Mon Jul 20 09:20:33 2015 +0100
test that nNumStripByteCounts value is within bounds of file
Change-Id: If119628d7f510a7db30ed2180111063781cde887
(cherry picked from commit 33d43205c341e0cce36b6a1b3082c3927490cbde)
Reviewed-on: https://gerrit.libreoffice.org/17211
Reviewed-by: David Tardon <dtar...@redhat.com>
Tested-by: David Tardon <dtar...@redhat.com>
diff --git a/filter/qa/cppunit/data/tiff/fail/hang-5.tiff
b/filter/qa/cppunit/data/tiff/fail/hang-5.tiff
new file mode 100644
index 0000000..f1be3fa
Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/hang-5.tiff differ
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx
b/filter/source/graphicfilter/itiff/itiff.cxx
index 3f7d728..0c3fbd6 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -432,14 +432,17 @@ void TIFFReader::ReadTagData( sal_uInt16 nTagType,
sal_uInt32 nDataLen)
nNumStripByteCounts = 0; // to be on the safe side
nOldNumSBC = nNumStripByteCounts;
nDataLen += nOldNumSBC;
- if ( ( nDataLen > nOldNumSBC ) && ( nDataLen < SAL_MAX_UINT32 /
sizeof( sal_uInt32 ) ) )
+ size_t nMaxAllocAllowed = SAL_MAX_UINT32 / sizeof(sal_uInt32);
+ size_t nMaxRecordsAvailable = pTIFF->remainingSize() /
DataTypeSize();
+ if (nDataLen > nOldNumSBC && nDataLen < nMaxAllocAllowed &&
+ (nDataLen - nOldNumSBC) <= nMaxRecordsAvailable)
{
nNumStripByteCounts = nDataLen;
try
{
pStripByteCounts = new sal_uLong[ nNumStripByteCounts ];
}
- catch (const std::bad_alloc &)
+ catch (const std::bad_alloc &)
{
pStripByteCounts = NULL;
nNumStripByteCounts = 0;
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
