[Libreoffice-commits] core.git: filter/source

Caolán McNamara Mon, 19 Mar 2018 14:08:26 -0700

 filter/source/graphicfilter/itiff/itiff.cxx |    9 +++++++++
 1 file changed, 9 insertions(+)


New commits:
commit c81765629bf0f7b3a0a8bb1dbed599a7f49ee58c
Author: Caolán McNamara <caol...@redhat.com>
Date:   Mon Mar 19 14:22:45 2018 +0000

    coverity#1266496 Untrusted loop bound
    
    Change-Id: I89aaf8aab9e4f5230feb4c398fa4ebe9dc5e0add
    Reviewed-on: https://gerrit.libreoffice.org/51563
    Tested-by: Jenkins <c...@libreoffice.org>
    Reviewed-by: Caolán McNamara <caol...@redhat.com>
    Tested-by: Caolán McNamara <caol...@redhat.com>

diff --git a/filter/source/graphicfilter/itiff/itiff.cxx 
b/filter/source/graphicfilter/itiff/itiff.cxx
index 1e93f39bf88e..e68f87e8f9c7 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -1272,6 +1272,15 @@ bool TIFFReader::ReadTIFF(SvStream & rTIFF, Graphic & 
rGraphic )
 
             pTIFF->ReadUInt16( nNumTags );
 
+            const size_t nMinRecordSize = 12;
+            const size_t nMaxRecords = pTIFF->remainingSize() / nMinRecordSize;
+            if (nNumTags > nMaxRecords)
+            {
+                SAL_WARN("filter.tiff", "Parsing error: " << nMaxRecords <<
+                         " max possible entries, but " << nNumTags << " 
claimed, truncating");
+                nNumTags = nMaxRecords;
+            }
+
             // loop through tags:
             for( i = 0; i < nNumTags; i++ )
             {
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: filter/source

Reply via email to