[Libreoffice-commits] core.git: Branch 'libreoffice-4-4' - filter/qa filter/source
Caolán McNamara
caolanm at redhat.com
Fri Jul 17 05:19:48 PDT 2015
filter/qa/cppunit/data/tiff/fail/hang-1.tiff |binary
filter/source/graphicfilter/itiff/itiff.cxx | 7 +++++--
2 files changed, 5 insertions(+), 2 deletions(-)
New commits:
commit 94a6a1b5ab728bbafa8b880b07e1f4da48d87e8b
Author: Caolán McNamara <caolanm at redhat.com>
Date: Fri Jul 17 09:45:26 2015 +0100
test that nNumStripOffsets value is within bounds of file
Change-Id: I1483ea3671420be53496888892374641e10b344d
(cherry picked from commit feedb957310fc3282ca47d5ffc1482dbb944a36e)
Reviewed-on: https://gerrit.libreoffice.org/17152
Reviewed-by: David Tardon <dtardon at redhat.com>
Tested-by: David Tardon <dtardon at redhat.com>
diff --git a/filter/qa/cppunit/data/tiff/fail/hang-1.tiff b/filter/qa/cppunit/data/tiff/fail/hang-1.tiff
new file mode 100644
index 0000000..9cd2aa2
Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/hang-1.tiff differ
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx
index 0474c5b..92d7a3c 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -383,14 +383,17 @@ void TIFFReader::ReadTagData( sal_uInt16 nTagType, sal_uInt32 nDataLen)
nNumStripOffsets = 0;
nOldNumSO = nNumStripOffsets;
nDataLen += nOldNumSO;
- if ( ( nDataLen > nOldNumSO ) && ( nDataLen < SAL_MAX_UINT32 / sizeof( sal_uInt32 ) ) )
+ size_t nMaxAllocAllowed = SAL_MAX_UINT32 / sizeof(sal_uInt32);
+ size_t nMaxRecordsAvailable = pTIFF->remainingSize() / DataTypeSize();
+ if (nDataLen > nOldNumSO && nDataLen < nMaxAllocAllowed &&
+ (nDataLen - nOldNumSO) <= nMaxRecordsAvailable)
{
nNumStripOffsets = nDataLen;
try
{
pStripOffsets = new sal_uLong[ nNumStripOffsets ];
}
- catch (const std::bad_alloc &)
+ catch (const std::bad_alloc &)
{
pStripOffsets = NULL;
nNumStripOffsets = 0;
More information about the Libreoffice-commits
mailing list