From 8c4ca609c532b01c880d9803ba655c5688e5f0f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= Date: Fri, 27 May 2022 14:14:06 +0100 Subject: [PATCH] ofz#47673 skip oversized tiff images MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change-Id: I78727819b7c440855f89240f396dad845a295d61 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/135041 Tested-by: Caolán McNamara Reviewed-by: Caolán McNamara --- vcl/source/filter/itiff/itiff.cxx | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/vcl/source/filter/itiff/itiff.cxx b/vcl/source/filter/itiff/itiff.cxx index 6eac698121f0..59021b8c4999 100644 --- a/vcl/source/filter/itiff/itiff.cxx +++ b/vcl/source/filter/itiff/itiff.cxx @@ -136,8 +136,14 @@ bool ImportTiffGraphicImport(SvStream& rTIFF, Graphic& rGraphic) } } - size_t npixels = w * h; - std::vector raster(npixels); + uint32_t nPixelsRequired; + if (o3tl::checked_multiply(w, h, nPixelsRequired)) + { + SAL_WARN("filter.tiff", "skipping oversized tiff image"); + break; + } + + std::vector raster(nPixelsRequired); if (TIFFReadRGBAImageOriented(tif, w, h, raster.data(), ORIENTATION_TOPLEFT, 1)) { Bitmap bitmap(Size(w, h), vcl::PixelFormat::N24_BPP);