From 13fd5d44c1d528c23bcade92241016195c37c453 Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Wed, 14 Feb 2018 15:06:32 +0000
Subject: ofz#6329 Out-of-memory
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Change-Id: I42fef1609db1253bcf262ccf3cc86088ea6ca647
Reviewed-on: https://gerrit.libreoffice.org/49739
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
---
 filter/source/graphicfilter/ieps/ieps.cxx | 8 +++++++-
 filter/source/graphicfilter/itga/itga.cxx | 2 +-
 2 files changed, 8 insertions(+), 2 deletions(-)

(limited to 'filter')

diff --git a/filter/source/graphicfilter/ieps/ieps.cxx b/filter/source/graphicfilter/ieps/ieps.cxx
index a2d94c45faac..e2b5b8e383ab 100644
--- a/filter/source/graphicfilter/ieps/ieps.cxx
+++ b/filter/source/graphicfilter/ieps/ieps.cxx
@@ -652,7 +652,13 @@ ipsGraphicImport( SvStream & rStream, Graphic & rGraphic, FilterConfigItem* )
                     long nBitDepth = ImplGetNumber(pDest, nSecurityCount);
                     long nScanLines = ImplGetNumber(pDest, nSecurityCount);
                     pDest = ImplSearchEntry(pDest, reinterpret_cast<sal_uInt8 const *>("%"), nSecurityCount, 1);       // go to the first Scanline
-                    if (pDest && nWidth > 0 && nHeight > 0 && ( ( nBitDepth == 1 ) || ( nBitDepth == 8 ) ) && nScanLines)
+                    bOk = pDest && nWidth > 0 && nHeight > 0 && ( ( nBitDepth == 1 ) || ( nBitDepth == 8 ) ) && nScanLines;
+                    if (bOk)
+                    {
+                        long nResult;
+                        bOk = !o3tl::checked_multiply(nWidth, nHeight, nResult) && nResult <= SAL_MAX_INT32/2/3;
+                    }
+                    if (bOk)
                     {
                         rStream.Seek( nBufStartPos + ( pDest - pBuf.get() ) );
 
diff --git a/filter/source/graphicfilter/itga/itga.cxx b/filter/source/graphicfilter/itga/itga.cxx
index 211537f34e67..28cfb8dd25b8 100644
--- a/filter/source/graphicfilter/itga/itga.cxx
+++ b/filter/source/graphicfilter/itga/itga.cxx
@@ -143,7 +143,7 @@ bool TGAReader::ReadTGA(Graphic & rGraphic)
         {
             sal_Size nSize = mpFileHeader->nImageWidth;
             nSize *= mpFileHeader->nImageHeight;
-            if (nSize > SAL_MAX_INT32/2)
+            if (nSize > SAL_MAX_INT32/2/3)
                 return false;
 
             mpBitmap.reset( new vcl::bitmap::RawBitmap( Size( mpFileHeader->nImageWidth, mpFileHeader->nImageHeight ) ) );
-- 
cgit