diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2022-08-19 12:19:58 +0100 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2022-08-19 16:32:40 +0200 |
| commit | 6e97fcf162b8495f0584f0bb67d020b3f3754780 (patch) | |
| tree | 4ec95b35c178e81171f7e36ff5c34228a2f49c2d | |
| parent | d305edc242b7d1c03bd372356104418a344737fe (diff) | |
ofz#50335 Out-of-memory
Change-Id: I4a7dd1e0fc21518cc0efcb6a115f1946adef7aaf
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/138518
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
| -rw-r--r-- | vcl/source/filter/itiff/itiff.cxx | 30 |
1 files changed, 24 insertions, 6 deletions
diff --git a/vcl/source/filter/itiff/itiff.cxx b/vcl/source/filter/itiff/itiff.cxx index 3d21a66dc0af..1e71c6cb8adc 100644 --- a/vcl/source/filter/itiff/itiff.cxx +++ b/vcl/source/filter/itiff/itiff.cxx @@ -153,13 +153,9 @@ bool ImportTiffGraphicImport(SvStream& rTIFF, Graphic& rGraphic) constexpr size_t nMaxPixelsAllowed = SAL_MAX_INT32/4; // two buffers currently required, so limit further bool bOk = !o3tl::checked_multiply(w, h, nPixelsRequired) && nPixelsRequired <= nMaxPixelsAllowed / 2; - if (!bOk) - { - SAL_WARN("filter.tiff", "skipping oversized tiff image " << w << " x " << h); - break; - } + SAL_WARN_IF(!bOk, "filter.tiff", "skipping oversized tiff image " << w << " x " << h); - if (bFuzzing) + if (bOk && bFuzzing) { const uint64_t MAX_SIZE = 200000000; if (TIFFTileSize64(tif) > MAX_SIZE || nPixelsRequired > MAX_SIZE) @@ -167,8 +163,30 @@ bool ImportTiffGraphicImport(SvStream& rTIFF, Graphic& rGraphic) SAL_WARN("filter.tiff", "skipping large tiffs"); break; } + + uint16_t PhotometricInterpretation; + if (TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &PhotometricInterpretation) == 1) + { + if (PhotometricInterpretation == PHOTOMETRIC_LOGL) + { + if (TIFFIsTiled(tif)) + { + uint32_t tw, th; + if (TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tw) == 1 && + TIFFGetField(tif, TIFFTAG_TILELENGTH, &th) == 1) + { + uint32_t nLogLBufferRequired; + bOk = !o3tl::checked_multiply(tw, th, nLogLBufferRequired) && nLogLBufferRequired < MAX_SIZE; + SAL_WARN_IF(!bOk, "filter.tiff", "skipping oversized tiff tile " << tw << " x " << th); + } + } + } + } } + if (!bOk) + break; + std::vector<uint32_t> raster(nPixelsRequired); if (TIFFReadRGBAImageOriented(tif, w, h, raster.data(), ORIENTATION_TOPLEFT, 1)) { |