detect another loop in tif format

Change-Id: I950f751277d9080b4fc00c38f63453cce81bcc32
author: Caolán McNamara <caolanm@redhat.com> 2015-07-17 09:59:23 +0100
committer: Caolán McNamara <caolanm@redhat.com> 2015-07-17 10:00:45 +0100
commit: 49bf2c6700d8f0fc9155ac2d06bf0a7bd84915d8 (patch)
tree: 8f0d0a1db2f769741dc2bd1b40977823f35a9a56 /filter
parent: 64fe684368bd54f54f6838c7d8a59c9efeaa0965 (diff)
2 files changed, 10 insertions, 1 deletions
diff --git a/filter/qa/cppunit/data/tiff/fail/hang-2.tiff b/filter/qa/cppunit/data/tiff/fail/hang-2.tiff
new file mode 100644
index 000000000000..28ec8c0d3c2a
--- /dev/null
+++ b/filter/qa/cppunit/data/tiff/fail/hang-2.tiff
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx
index e132fab24696..aed15f629cda 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -1181,10 +1181,19 @@ bool TIFFReader::ReadTIFF(SvStream & rTIFF, Graphic & rGraphic )
     {
         sal_uInt32 nOffset = nFirstIfd;
 
+        std::vector<sal_uInt32> aSeenOffsets;
         // calculate length of TIFF file
         do
         {
-            pTIFF->Seek( nOrigPos + nOffset );
+            if (std::find(aSeenOffsets.begin(), aSeenOffsets.end(), nOffset) != aSeenOffsets.end())
+            {
+                SAL_WARN("filter.tiff", "Parsing error: " << nOffset <<
+                         " already processed, format loop");
+                bStatus = false;
+                break;
+            }
+            pTIFF->Seek(nOrigPos + nOffset);
+            aSeenOffsets.push_back(nOffset);
 
             if( pTIFF->GetError() )
             {
author	Caolán McNamara <caolanm@redhat.com>	2015-07-17 09:59:23 +0100
committer	Caolán McNamara <caolanm@redhat.com>	2015-07-17 10:00:45 +0100
commit	49bf2c6700d8f0fc9155ac2d06bf0a7bd84915d8 (patch)
tree	8f0d0a1db2f769741dc2bd1b40977823f35a9a56 /filter
parent	64fe684368bd54f54f6838c7d8a59c9efeaa0965 (diff)