tiff: add some error checks

Change-Id: I55ca42f637c802bc917eeba5c08cc82074edd523
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/134697
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>

1 files changed, 23 insertions, 2 deletions

diff --git a/vcl/source/filter/itiff/itiff.cxx b/vcl/source/filter/itiff/itiff.cxx
index 8fa61c4509b5..dde8a1f996b7 100644
--- a/vcl/source/filter/itiff/itiff.cxx
+++ b/vcl/source/filter/itiff/itiff.cxx
@@ -162,8 +162,23 @@ bool ImportTiffGraphicImport(SvStream& rTIFF, Graphic& rGraphic)
     {
         uint32_t w, h;
 
-        TIFFGetField(tif, TIFFTAG_IMAGEWIDTH, &w);
-        TIFFGetField(tif, TIFFTAG_IMAGELENGTH, &h);
+        if (TIFFGetField(tif, TIFFTAG_IMAGEWIDTH, &w) != 1)
+        {
+            SAL_WARN("filter.tiff", "missing width");
+            break;
+        }
+
+        if (TIFFGetField(tif, TIFFTAG_IMAGELENGTH, &h) != 1)
+        {
+            SAL_WARN("filter.tiff", "missing height");
+            break;
+        }
+
+        if (w > SAL_MAX_INT32 / 8 || h > SAL_MAX_INT32 / 8)
+        {
+            SAL_WARN("filter.tiff", "image too large");
+            break;
+        }
 
         Bitmap bitmap(Size(w, h), vcl::PixelFormat::N24_BPP);
         AlphaMask bitmapAlpha(Size(w, h));
@@ -171,6 +186,12 @@ bool ImportTiffGraphicImport(SvStream& rTIFF, Graphic& rGraphic)
         BitmapScopedWriteAccess access(bitmap);
         AlphaScopedWriteAccess accessAlpha(bitmapAlpha);
 
+        if (!access || !accessAlpha)
+        {
+            SAL_WARN("filter.tiff", "could not create bitmaps");
+            break;
+        }
+
         aContext.pWriteAccess = access.get();
         aContext.pAlphaAccess = accessAlpha.get();