[Libreoffice-commits] core.git: filter/source
Caolán McNamara
caolanm at redhat.com
Mon Mar 19 21:07:51 UTC 2018
filter/source/graphicfilter/itiff/itiff.cxx | 9 +++++++++
1 file changed, 9 insertions(+)
New commits:
commit c81765629bf0f7b3a0a8bb1dbed599a7f49ee58c
Author: Caolán McNamara <caolanm at redhat.com>
Date: Mon Mar 19 14:22:45 2018 +0000
coverity#1266496 Untrusted loop bound
Change-Id: I89aaf8aab9e4f5230feb4c398fa4ebe9dc5e0add
Reviewed-on: https://gerrit.libreoffice.org/51563
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx
index 1e93f39bf88e..e68f87e8f9c7 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -1272,6 +1272,15 @@ bool TIFFReader::ReadTIFF(SvStream & rTIFF, Graphic & rGraphic )
pTIFF->ReadUInt16( nNumTags );
+ const size_t nMinRecordSize = 12;
+ const size_t nMaxRecords = pTIFF->remainingSize() / nMinRecordSize;
+ if (nNumTags > nMaxRecords)
+ {
+ SAL_WARN("filter.tiff", "Parsing error: " << nMaxRecords <<
+ " max possible entries, but " << nNumTags << " claimed, truncating");
+ nNumTags = nMaxRecords;
+ }
+
// loop through tags:
for( i = 0; i < nNumTags; i++ )
{
More information about the Libreoffice-commits
mailing list