filter/source/graphicfilter/itiff/itiff.cxx | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-)
New commits: commit 86efcdb9279a72408063653f1e99855bf0ca00c4 Author: Caolán McNamara <caol...@redhat.com> Date: Thu Feb 23 12:02:06 2017 +0000 Resolves: ofz#668 check for massive row lengths before trying to allocate them Change-Id: I7b3f1abf5dcf457e8ff7d04a7cf48ffee70817a2 Reviewed-on: https://gerrit.libreoffice.org/34574 Reviewed-by: Markus Mohrhard <markus.mohrh...@googlemail.com> Tested-by: Jenkins <c...@libreoffice.org> Reviewed-by: Michael Stahl <mst...@redhat.com> diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx index df21268..96c7f0c 100644 --- a/filter/source/graphicfilter/itiff/itiff.cxx +++ b/filter/source/graphicfilter/itiff/itiff.cxx @@ -67,7 +67,7 @@ private: sal_uLong nSubFile; sal_Int32 nImageWidth; // picture width in pixels sal_Int32 nImageLength; // picture height in pixels - sal_uLong nBitsPerSample; // bits per pixel per layer + sal_uInt32 nBitsPerSample; // bits per pixel per layer sal_uLong nCompression; // kind of compression sal_uLong nPhotometricInterpretation; sal_uLong nThresholding; @@ -77,7 +77,7 @@ private: sal_uLong* pStripOffsets; // field of offsets to the Bitmap-Data-"Strips" sal_uLong nNumStripOffsets; // size of the field above sal_uLong nOrientation; - sal_uLong nSamplesPerPixel; // number of layers + sal_uInt32 nSamplesPerPixel; // number of layers sal_uLong nRowsPerStrip; // if it's not compressed: number of rows per Strip sal_uLong* pStripByteCounts; // if compressed (in a certain way): size of the strips sal_uLong nNumStripByteCounts; // number of entries in the field above @@ -93,9 +93,9 @@ private: sal_uLong* pColorMap; // color palette sal_uLong nNumColors; // number of colors within the color palette - sal_uLong nPlanes; // number of layers within the Tiff file + sal_uInt32 nPlanes; // number of layers within the Tiff file sal_uLong nStripsPerPlane; // number of Strips per layer - sal_uLong nBytesPerRow; // Bytes per line per Layer in the Tiff file ( uncompressed ) + sal_uInt32 nBytesPerRow; // Bytes per line per Layer in the Tiff file ( uncompressed ) sal_uInt8* pMap[ 4 ]; // temporary Scanline @@ -1368,8 +1368,18 @@ bool TIFFReader::ReadTIFF(SvStream & rTIFF, Graphic & rGraphic ) if (bStatus) { - nBytesPerRow = ( nImageWidth * nSamplesPerPixel / nPlanes * nBitsPerSample + 7 ) >> 3; + sal_uInt64 nRowSize = (static_cast<sal_uInt64>(nImageWidth) * nSamplesPerPixel / nPlanes * nBitsPerSample + 7) >> 3; + if (nRowSize > SAL_MAX_INT32 / SAL_N_ELEMENTS(pMap)) + { + SAL_WARN("filter.tiff", "Ludicrous row size of: " << nRowSize << " required"); + bStatus = false; + } + else + nBytesPerRow = nRowSize; + } + if (bStatus) + { for (sal_uInt8*& j : pMap) { try
_______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits