summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--filter/qa/cppunit/data/tiff/fail/hang-5.tiffbin0 -> 281 bytes
-rw-r--r--filter/source/graphicfilter/itiff/itiff.cxx7
2 files changed, 5 insertions, 2 deletions
diff --git a/filter/qa/cppunit/data/tiff/fail/hang-5.tiff b/filter/qa/cppunit/data/tiff/fail/hang-5.tiff
new file mode 100644
index 000000000000..f1be3fa34b6e
--- /dev/null
+++ b/filter/qa/cppunit/data/tiff/fail/hang-5.tiff
Binary files differ
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx
index 7a5d48793acd..89de8e0c70b4 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -422,14 +422,17 @@ void TIFFReader::ReadTagData( sal_uInt16 nTagType, sal_uInt32 nDataLen)
nNumStripByteCounts = 0; // to be on the safe side
nOldNumSBC = nNumStripByteCounts;
nDataLen += nOldNumSBC;
- if ( ( nDataLen > nOldNumSBC ) && ( nDataLen < SAL_MAX_UINT32 / sizeof( sal_uInt32 ) ) )
+ size_t nMaxAllocAllowed = SAL_MAX_UINT32 / sizeof(sal_uInt32);
+ size_t nMaxRecordsAvailable = pTIFF->remainingSize() / DataTypeSize();
+ if (nDataLen > nOldNumSBC && nDataLen < nMaxAllocAllowed &&
+ (nDataLen - nOldNumSBC) <= nMaxRecordsAvailable)
{
nNumStripByteCounts = nDataLen;
try
{
pStripByteCounts = new sal_uLong[ nNumStripByteCounts ];
}
- catch (const std::bad_alloc &)
+ catch (const std::bad_alloc &)
{
pStripByteCounts = NULL;
nNumStripByteCounts = 0;
generated by cgit (git 2.34.1) at 2024-06-28 20:57:30 +0000