AuroraMiddleware/qt5base-lts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixes crash in bmp and ico image decoding

Browse Source 
Fuzzing test revealed that for certain malformed bmp and ico files,
the handler would segfault.

Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
This commit is contained in:
Eirik Aavitsland 2015-03-11 13:34:01 +01:00 committed by aavit
parent d3048a2979
commit 51ec7ebfe5
2 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/gui/image/qbmphandler.cpp
View File

@ -484,12 +484,6 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
p = data + (h-y-1)*bpl; p = data + (h-y-1)*bpl;
break; break;
case 2: // delta (jump) case 2: // delta (jump)
// Protection
if ((uint)x >= (uint)w)
x = w-1;
if ((uint)y >= (uint)h)
y = h-1;
{ {
quint8 tmp; quint8 tmp;
d->getChar((char *)&tmp); d->getChar((char *)&tmp);
@ -497,6 +491,13 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
d->getChar((char *)&tmp); d->getChar((char *)&tmp);
y += tmp; y += tmp;
} }
// Protection
if ((uint)x >= (uint)w)
x = w-1;
if ((uint)y >= (uint)h)
y = h-1;
p = data + (h-y-1)*bpl + x; p = data + (h-y-1)*bpl + x;
break; break;
default: // absolute mode default: // absolute mode

2
src/plugins/imageformats/ico/qicohandler.cpp
View File

@ -567,7 +567,7 @@ QImage ICOReader::iconAt(int index)
QImage::Format format = QImage::Format_ARGB32; QImage::Format format = QImage::Format_ARGB32;
if (icoAttrib.nbits == 24) if (icoAttrib.nbits == 24)
format = QImage::Format_RGB32; format = QImage::Format_RGB32;
else if (icoAttrib.ncolors == 2) else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1)
format = QImage::Format_Mono; format = QImage::Format_Mono;
else if (icoAttrib.ncolors > 0) else if (icoAttrib.ncolors > 0)
format = QImage::Format_Indexed8; format = QImage::Format_Indexed8;