check np bounds again

Change-Id: I0fb61954b2eaf0c015d7bdefe9f03bd459b31501 (cherry picked from commit fcdddbd30a8b5cf6a5cc4d2ff28b7d4a20f8ec6b) Reviewed-on: https://gerrit.libreoffice.org/17202 Reviewed-by: David Tardon <dtardon@redhat.com> Tested-by: David Tardon <dtardon@redhat.com>
author: Caolán McNamara <caolanm@redhat.com> 2015-07-19 21:32:05 +0100
committer: Andras Timar <andras.timar@collabora.com> 2015-08-03 19:50:43 +0200
commit: a3c1537c6c60a602b6a15650ae911a829658cb81 (patch)
tree: b960e7175574fc4ff293de1b5fc228e10d03e907
parent: 05d18298305b85e817d23b585556d4d1f10cb294 (diff)
2 files changed, 2 insertions, 0 deletions
diff --git a/filter/qa/cppunit/data/tiff/fail/crash-3.tiff b/filter/qa/cppunit/data/tiff/fail/crash-3.tiff
new file mode 100644
index 000000000000..4aa2393ade25
--- /dev/null
+++ b/filter/qa/cppunit/data/tiff/fail/crash-3.tiff
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx
index dc556f30b2b5..c35d94356a3d 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -652,6 +652,8 @@ bool TIFFReader::ReadMap( sal_uLong nMinPercent, sal_uLong nMaxPercent )
                     pTIFF->Seek(pStripOffsets[nStrip]);
                     aLZWDecom.StartDecompression(*pTIFF);
                 }
+                if (np >= SAL_N_ELEMENTS(pMap))
+                    return false;
                 if ( ( aLZWDecom.Decompress( pMap[ np ], nBytesPerRow ) != nBytesPerRow ) || pTIFF->GetError() )
                     return false;
                 MayCallback(nMinPercent+(nMaxPercent-nMinPercent)*(np*nImageLength+ny)/(nImageLength*nPlanes));
author	Caolán McNamara <caolanm@redhat.com>	2015-07-19 21:32:05 +0100
committer	Andras Timar <andras.timar@collabora.com>	2015-08-03 19:50:43 +0200
commit	a3c1537c6c60a602b6a15650ae911a829658cb81 (patch)
tree	b960e7175574fc4ff293de1b5fc228e10d03e907
parent	05d18298305b85e817d23b585556d4d1f10cb294 (diff)