[Libreoffice-commits] core.git: Branch 'libreoffice-4-4' - filter/qa filter/source
Caolán McNamara
caolanm at redhat.com
Sun Jul 19 23:20:27 PDT 2015
filter/qa/cppunit/data/tiff/fail/crash-3.tiff |binary
filter/source/graphicfilter/itiff/itiff.cxx | 2 ++
2 files changed, 2 insertions(+)
New commits:
commit ffed84552dcb03daf93e14036313bad285c3d140
Author: Caolán McNamara <caolanm at redhat.com>
Date: Sun Jul 19 21:32:05 2015 +0100
check np bounds again
Change-Id: I0fb61954b2eaf0c015d7bdefe9f03bd459b31501
(cherry picked from commit fcdddbd30a8b5cf6a5cc4d2ff28b7d4a20f8ec6b)
Reviewed-on: https://gerrit.libreoffice.org/17202
Reviewed-by: David Tardon <dtardon at redhat.com>
Tested-by: David Tardon <dtardon at redhat.com>
diff --git a/filter/qa/cppunit/data/tiff/fail/crash-3.tiff b/filter/qa/cppunit/data/tiff/fail/crash-3.tiff
new file mode 100644
index 0000000..4aa2393
Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/crash-3.tiff differ
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx
index dc556f3..c35d943 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -652,6 +652,8 @@ bool TIFFReader::ReadMap( sal_uLong nMinPercent, sal_uLong nMaxPercent )
pTIFF->Seek(pStripOffsets[nStrip]);
aLZWDecom.StartDecompression(*pTIFF);
}
+ if (np >= SAL_N_ELEMENTS(pMap))
+ return false;
if ( ( aLZWDecom.Decompress( pMap[ np ], nBytesPerRow ) != nBytesPerRow ) || pTIFF->GetError() )
return false;
MayCallback(nMinPercent+(nMaxPercent-nMinPercent)*(np*nImageLength+ny)/(nImageLength*nPlanes));
More information about the Libreoffice-commits
mailing list