ofz#6345 Integer-overflow

Change-Id: I537b49bac053c0f55bbbc26b0d37dfae4c62106a Reviewed-on: https://gerrit.libreoffice.org/49817Reviewed-by: Caolán McNamara <caolanm@redhat.com> Tested-by: Caolán McNamara <caolanm@redhat.com>

ofz#6345 Integer-overflow
Change-Id: I537b49bac053c0f55bbbc26b0d37dfae4c62106a Reviewed-on: https://gerrit.libreoffice.org/49817Reviewed-by: Caolán McNamara <caolanm@redhat.com> Tested-by: Caolán McNamara <caolanm@redhat.com>
1cde1dd4 · Caolán McNamara · 6864b7d9 · 1cde1dd4
Kaydet (Commit) 1cde1dd4 authored Şub 15, 2018 tarafından Caolán McNamara
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 1 deletion

itiff.cxx filter/source/graphicfilter/itiff/itiff.cxx +12 -1

No files found.
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -1520,10 +1520,21 @@ bool TIFFReader::ReadTIFF(SvStream & rTIFF, Graphic & rGraphic )
                }
            }

+            sal_Int32 nImageDataSize(0);
+            if (bStatus)
+            {
+                if (o3tl::checked_multiply<sal_Int32>(nImageWidth, nImageLength, nImageDataSize) ||
+                    o3tl::checked_multiply<sal_Int32>(nImageDataSize, (HasAlphaChannel() ? 4 : 3), nImageDataSize) ||
+                    nImageDataSize > SAL_MAX_INT32/2)
+                {
+                    bStatus = false;
+                }
+            }
+
            if ( bStatus )
            {
                maBitmapPixelSize = Size(nImageWidth, nImageLength);
-                mpBitmap.reset(new sal_uInt8[nImageWidth * nImageLength * (HasAlphaChannel() ? 4 : 3)]);
+                mpBitmap.reset(new sal_uInt8[nImageDataSize]);

                if (bStatus && ReadMap())
                {