[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
Caolán McNamara
caolanm at redhat.com
Fri Jul 17 04:42:32 PDT 2015
filter/qa/cppunit/data/tiff/fail/hang-1.tiff |binary
filter/source/graphicfilter/itiff/itiff.cxx | 7 +++++--
2 files changed, 5 insertions(+), 2 deletions(-)
New commits:
commit 5681a8b41dd95fea324d4a9797fbe959e2022feb
Author: Caolán McNamara <caolanm at redhat.com>
Date: Fri Jul 17 09:45:26 2015 +0100
test that nNumStripOffsets value is within bounds of file
Change-Id: I1483ea3671420be53496888892374641e10b344d
(cherry picked from commit feedb957310fc3282ca47d5ffc1482dbb944a36e)
Reviewed-on: https://gerrit.libreoffice.org/17151
Reviewed-by: David Tardon <dtardon at redhat.com>
Tested-by: David Tardon <dtardon at redhat.com>
diff --git a/filter/qa/cppunit/data/tiff/fail/hang-1.tiff b/filter/qa/cppunit/data/tiff/fail/hang-1.tiff
new file mode 100644
index 0000000..9cd2aa2
Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/hang-1.tiff differ
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx
index 80c859c..aed15f6 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -373,14 +373,17 @@ void TIFFReader::ReadTagData( sal_uInt16 nTagType, sal_uInt32 nDataLen)
nNumStripOffsets = 0;
nOldNumSO = nNumStripOffsets;
nDataLen += nOldNumSO;
- if ( ( nDataLen > nOldNumSO ) && ( nDataLen < SAL_MAX_UINT32 / sizeof( sal_uInt32 ) ) )
+ size_t nMaxAllocAllowed = SAL_MAX_UINT32 / sizeof(sal_uInt32);
+ size_t nMaxRecordsAvailable = pTIFF->remainingSize() / DataTypeSize();
+ if (nDataLen > nOldNumSO && nDataLen < nMaxAllocAllowed &&
+ (nDataLen - nOldNumSO) <= nMaxRecordsAvailable)
{
nNumStripOffsets = nDataLen;
try
{
pStripOffsets = new sal_uLong[ nNumStripOffsets ];
}
- catch (const std::bad_alloc &)
+ catch (const std::bad_alloc &)
{
pStripOffsets = NULL;
nNumStripOffsets = 0;
More information about the Libreoffice-commits
mailing list