From fc3ba0cdd424e1ae2852ad9809b49a5e6e55b2f5 Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Sun, 19 Jul 2015 21:25:46 +0100
Subject: check np bounds

Change-Id: Id16ae9325f3c67792941b9c88d83435aa98282ca
(cherry picked from commit be4e1141be7cd54cf5362d3de534050db5505437)
Reviewed-on: https://gerrit.libreoffice.org/17199
Reviewed-by: David Tardon <dtardon@redhat.com>
Tested-by: David Tardon <dtardon@redhat.com>
---
 filter/qa/cppunit/data/tiff/fail/crash-2.tiff | Bin 0 -> 260 bytes
 filter/source/graphicfilter/itiff/itiff.cxx   |   2 ++
 2 files changed, 2 insertions(+)
 create mode 100644 filter/qa/cppunit/data/tiff/fail/crash-2.tiff

(limited to 'filter')

diff --git a/filter/qa/cppunit/data/tiff/fail/crash-2.tiff b/filter/qa/cppunit/data/tiff/fail/crash-2.tiff
new file mode 100644
index 000000000000..aadd99f33d2d
Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/crash-2.tiff differ
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx
index 834c437e7cc0..4599af97dc0c 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -608,6 +608,8 @@ bool TIFFReader::ReadMap()
                     pTIFF->Seek( pStripOffsets[ nStrip ] );
                     aCCIDecom.StartDecompression( *pTIFF );
                 }
+                if (np >= SAL_N_ELEMENTS(pMap))
+                    return false;
                 if ( !aCCIDecom.DecompressScanline( pMap[ np ], nImageWidth * nBitsPerSample * nSamplesPerPixel / nPlanes, np + 1 == nPlanes ) )
                     return false;
                 if ( pTIFF->GetError() )
-- 
cgit