diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2017-09-27 14:43:03 +0100 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2017-09-27 21:28:58 +0200 |
| commit | 5a0f4d00d2e74785f2bffafc5daf85a3839d3961 (patch) | |
| tree | 900a465357cde0c2786cf6ce0f689c52d8ca9a7a | |
| parent | 05b3614cac57abc414955f8b1047cf5ca168580e (diff) | |
ofz#3499 oom in tiff reader
Change-Id: I2b9e98ed3a6749e2ee83a566ec857c1080e452f3
Reviewed-on: https://gerrit.libreoffice.org/42861
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
| -rw-r--r-- | filter/source/graphicfilter/itiff/itiff.cxx | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx index 1521432eca84..ecda46305201 100644 --- a/filter/source/graphicfilter/itiff/itiff.cxx +++ b/filter/source/graphicfilter/itiff/itiff.cxx @@ -1407,6 +1407,33 @@ bool TIFFReader::ReadTIFF(SvStream & rTIFF, Graphic & rGraphic ) bStatus = false; } } + else if (nCompression == 2 || nCompression == 3 || nCompression == 4) + { + if (nCompression == 3 && nGroup3Options & 0xfffffffa) + bStatus = false; + else if (nCompression == 4 && nGroup4Options & 0xffffffff) + bStatus = false; + sal_uInt32 np = nPlanes - 1; + if (np >= SAL_N_ELEMENTS(aMap)) + bStatus = false; + sal_Int32 ny = nImageLength - 1; + sal_uInt32 nStrip(0); + nDiv = GetRowsPerStrip(); + if (bStatus) + bStatus = nDiv != 0; + if (bStatus) + { + nStrip = ny / nDiv + np * nStripsPerPlane; + if (nStrip >= aStripOffsets.size()) + bStatus = false; + } + if (bStatus) + { + auto nStart = aStripOffsets[nStrip]; + if (nStart > nEndOfFile) + bStatus = false; + } + } } if ( bStatus ) |