Really fix crash on certain malformed bmp images

This is an improvement of e4f71b0c. By using the QImageReader::read()
overload taking a QImage pointer, and ignoring the return value,
one could still end up with a corrupt QImage object.
Avoid the subsequent crashes by closing that hole.

Change-Id: I5dca10e4808ac3365e3ddba6689edecb7444948f
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Lars Knoll <lars.knoll@theqtcompany.com>
Reviewed-by: Richard J. Moore <rich@kde.org>

src/gui/image/qbmphandler.cpp

@@ -283,6 +283,12 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
             format = QImage::Format_Mono;
     }
 
+    if (depth != 32) {
+        ncols = bi.biClrUsed ? bi.biClrUsed : 1 << nbits;
+        if (ncols < 1 || ncols > 256) // sanity check - don't run out of mem if color table is broken
+            return false;
+    }
+
     if (bi.biHeight < 0)
         h = -h;                  // support images with negative height
 
@@ -290,19 +296,15 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
         image = QImage(w, h, format);
         if (image.isNull())                        // could not create image
             return false;
-    }
-
-    if (depth != 32) {
-        ncols = bi.biClrUsed ? bi.biClrUsed : 1 << nbits;
-        if (ncols < 1 || ncols > 256) // sanity check - don't run out of mem if color table is broken
-            return false;
-        image.setColorCount(ncols);
+        if (ncols)
+            image.setColorCount(ncols);            // Ensure valid QImage
     }
 
     image.setDotsPerMeterX(bi.biXPelsPerMeter);
     image.setDotsPerMeterY(bi.biYPelsPerMeter);
 
     if (ncols > 0) {                                // read color table
+        image.setColorCount(ncols);
         uchar rgb[4];
         int   rgb_len = t == BMP_OLD ? 3 : 4;
         for (int i=0; i<ncols; i++) {