coverity#1266496 Untrusted loop bound

Change-Id: I89aaf8aab9e4f5230feb4c398fa4ebe9dc5e0add
Reviewed-on: https://gerrit.libreoffice.org/51563
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>

1 files changed, 9 insertions, 0 deletions

diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx
index 1e93f39bf88e..e68f87e8f9c7 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -1272,6 +1272,15 @@ bool TIFFReader::ReadTIFF(SvStream & rTIFF, Graphic & rGraphic )
 
             pTIFF->ReadUInt16( nNumTags );
 
+            const size_t nMinRecordSize = 12;
+            const size_t nMaxRecords = pTIFF->remainingSize() / nMinRecordSize;
+            if (nNumTags > nMaxRecords)
+            {
+                SAL_WARN("filter.tiff", "Parsing error: " << nMaxRecords <<
+                         " max possible entries, but " << nNumTags << " claimed, truncating");
+                nNumTags = nMaxRecords;
+            }
+
             // loop through tags:
             for( i = 0; i < nNumTags; i++ )
             {