Crash fix: reject certain malformed bmp images

A malformed bmp file header could specify a negative color table
size. The bmp handler would then return a QImage that claimed to be
valid, but actually was invalid, having an empty color table. This
would cause crash later, e.g. when attempting to paint it.

Change-Id: I7df7c40867557a82dbcee44c7de061226ff232c0
Reviewed-by: Lars Knoll <lars.knoll@theqtcompany.com>
Reviewed-by: Richard J. Moore <rich@kde.org>

src/gui/image/qbmphandler.cpp

@@ -294,7 +294,7 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
 
     if (depth != 32) {
         ncols = bi.biClrUsed ? bi.biClrUsed : 1 << nbits;
-        if (ncols > 256) // sanity check - don't run out of mem if color table is broken
+        if (ncols < 1 || ncols > 256) // sanity check - don't run out of mem if color table is broken
             return false;
         image.setColorCount(ncols);
     }

tests/auto/gui/image/qimagereader/tst_qimagereader.cpp

@@ -1482,6 +1482,7 @@ void tst_QImageReader::readCorruptImage_data()
     QTest::newRow("corrupt gif") << QString("corrupt.gif") << true << QString("") << QByteArray("gif");
     QTest::newRow("corrupt png") << QString("corrupt.png") << true << QString("") << QByteArray("png");
     QTest::newRow("corrupt bmp") << QString("corrupt.bmp") << true << QString("") << QByteArray("bmp");
+    QTest::newRow("corrupt bmp (clut)") << QString("corrupt_clut.bmp") << true << QString("") << QByteArray("bmp");
     QTest::newRow("corrupt xpm (colors)") << QString("corrupt-colors.xpm") << true
                                           << QString("QImage: XPM color specification is missing: bla9an.n#x")
                                           << QByteArray("xpm");