[Libreoffice-commits] core.git: vcl/source

[Caolán McNamara (via logerrit)]

 vcl/source/filter/itiff/itiff.cxx |   30 ++++++++++++++++++++++++------
 1 file changed, 24 insertions(+), 6 deletions(-)

New commits:
commit 6e97fcf162b8495f0584f0bb67d020b3f3754780
Author:     Caolán McNamara <caol...@redhat.com>
AuthorDate: Fri Aug 19 12:19:58 2022 +0100
Commit:     Caolán McNamara <caol...@redhat.com>
CommitDate: Fri Aug 19 16:32:40 2022 +0200

    ofz#50335 Out-of-memory
    
    Change-Id: I4a7dd1e0fc21518cc0efcb6a115f1946adef7aaf
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/138518
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caol...@redhat.com>

diff --git a/vcl/source/filter/itiff/itiff.cxx 
b/vcl/source/filter/itiff/itiff.cxx
index 3d21a66dc0af..1e71c6cb8adc 100644
--- a/vcl/source/filter/itiff/itiff.cxx
+++ b/vcl/source/filter/itiff/itiff.cxx
@@ -153,13 +153,9 @@ bool ImportTiffGraphicImport(SvStream& rTIFF, Graphic& 
rGraphic)
         constexpr size_t nMaxPixelsAllowed = SAL_MAX_INT32/4;
         // two buffers currently required, so limit further
         bool bOk = !o3tl::checked_multiply(w, h, nPixelsRequired) && 
nPixelsRequired <= nMaxPixelsAllowed / 2;
-        if (!bOk)
-        {
-            SAL_WARN("filter.tiff", "skipping oversized tiff image " << w << " 
x " << h);
-            break;
-        }
+        SAL_WARN_IF(!bOk, "filter.tiff", "skipping oversized tiff image " << w 
<< " x " << h);
 
-        if (bFuzzing)
+        if (bOk && bFuzzing)
         {
             const uint64_t MAX_SIZE = 200000000;
             if (TIFFTileSize64(tif) > MAX_SIZE || nPixelsRequired > MAX_SIZE)
@@ -167,8 +163,30 @@ bool ImportTiffGraphicImport(SvStream& rTIFF, Graphic& 
rGraphic)
                 SAL_WARN("filter.tiff", "skipping large tiffs");
                 break;
             }
+
+            uint16_t PhotometricInterpretation;
+            if (TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, 
&PhotometricInterpretation) == 1)
+            {
+                if (PhotometricInterpretation == PHOTOMETRIC_LOGL)
+                {
+                    if (TIFFIsTiled(tif))
+                    {
+                        uint32_t tw, th;
+                        if (TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tw) == 1 &&
+                            TIFFGetField(tif, TIFFTAG_TILELENGTH, &th) == 1)
+                        {
+                            uint32_t nLogLBufferRequired;
+                            bOk = !o3tl::checked_multiply(tw, th, 
nLogLBufferRequired) && nLogLBufferRequired < MAX_SIZE;
+                            SAL_WARN_IF(!bOk, "filter.tiff", "skipping 
oversized tiff tile " << tw << " x " << th);
+                        }
+                    }
+                }
+            }
         }
 
+        if (!bOk)
+            break;
+
         std::vector<uint32_t> raster(nPixelsRequired);
         if (TIFFReadRGBAImageOriented(tif, w, h, raster.data(), 
ORIENTATION_TOPLEFT, 1))
         {