From a046795194f0540b5752887b837bb15d43ddcdda Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Sun, 25 Jan 2015 21:05:37 +0000
Subject: coverity#1266496 Untrusted loop bound

Change-Id: Ibab7f84940f6eec75bc3ee914bac59a07689a80c
---
 filter/source/graphicfilter/itiff/itiff.cxx | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'filter/source')

diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx
index cd56f63af437..edd1aa01fd8e 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -1266,6 +1266,15 @@ bool TIFFReader::ReadTIFF(SvStream & rTIFF, Graphic & rGraphic )
                 pTIFF->ReadUInt16( nNumTags );
                 nPos = pTIFF->Tell();
 
+                const size_t nMinRecordSize = 8;
+                const size_t nMaxRecords = pTIFF->remainingSize() / nMinRecordSize;
+                if (nNumTags > nMaxRecords)
+                {
+                    SAL_WARN("filter.tiff", "Parsing error: " << nMaxRecords <<
+                             " max possible entries, but " << nNumTags << " claimed, truncating");
+                    nNumTags = nMaxRecords;
+                }
+
                 // Schleife ueber Tags:
                 for( i = 0; i < nNumTags; i++ )
                 {
-- 
cgit