diff options
-rw-r--r-- | filter/qa/cppunit/data/tiff/fail/hang-5.tiff | bin | 0 -> 281 bytes | |||
-rw-r--r-- | filter/source/graphicfilter/itiff/itiff.cxx | 7 |
2 files changed, 5 insertions, 2 deletions
diff --git a/filter/qa/cppunit/data/tiff/fail/hang-5.tiff b/filter/qa/cppunit/data/tiff/fail/hang-5.tiff Binary files differnew file mode 100644 index 000000000000..f1be3fa34b6e --- /dev/null +++ b/filter/qa/cppunit/data/tiff/fail/hang-5.tiff diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx index 7a5d48793acd..89de8e0c70b4 100644 --- a/filter/source/graphicfilter/itiff/itiff.cxx +++ b/filter/source/graphicfilter/itiff/itiff.cxx @@ -422,14 +422,17 @@ void TIFFReader::ReadTagData( sal_uInt16 nTagType, sal_uInt32 nDataLen) nNumStripByteCounts = 0; // to be on the safe side nOldNumSBC = nNumStripByteCounts; nDataLen += nOldNumSBC; - if ( ( nDataLen > nOldNumSBC ) && ( nDataLen < SAL_MAX_UINT32 / sizeof( sal_uInt32 ) ) ) + size_t nMaxAllocAllowed = SAL_MAX_UINT32 / sizeof(sal_uInt32); + size_t nMaxRecordsAvailable = pTIFF->remainingSize() / DataTypeSize(); + if (nDataLen > nOldNumSBC && nDataLen < nMaxAllocAllowed && + (nDataLen - nOldNumSBC) <= nMaxRecordsAvailable) { nNumStripByteCounts = nDataLen; try { pStripByteCounts = new sal_uLong[ nNumStripByteCounts ]; } - catch (const std::bad_alloc &) + catch (const std::bad_alloc &) { pStripByteCounts = NULL; nNumStripByteCounts = 0; |