From e4f71b0cb5e52b4762c4c1d681eff08376e7bc0b Mon Sep 17 00:00:00 2001 From: Eirik Aavitsland Date: Tue, 2 Feb 2016 14:06:28 +0100 Subject: [PATCH] Crash fix: reject certain malformed bmp images A malformed bmp file header could specify a negative color table size. The bmp handler would then return a QImage that claimed to be valid, but actually was invalid, having an empty color table. This would cause crash later, e.g. when attempting to paint it. Change-Id: I7df7c40867557a82dbcee44c7de061226ff232c0 Reviewed-by: Lars Knoll Reviewed-by: Richard J. Moore --- src/gui/image/qbmphandler.cpp | 2 +- .../image/qimagereader/images/corrupt_clut.bmp | Bin 0 -> 368 bytes .../gui/image/qimagereader/tst_qimagereader.cpp | 1 + 3 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 tests/auto/gui/image/qimagereader/images/corrupt_clut.bmp diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp index ef12b23caa..27bab10196 100644 --- a/src/gui/image/qbmphandler.cpp +++ b/src/gui/image/qbmphandler.cpp @@ -294,7 +294,7 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int if (depth != 32) { ncols = bi.biClrUsed ? bi.biClrUsed : 1 << nbits; - if (ncols > 256) // sanity check - don't run out of mem if color table is broken + if (ncols < 1 || ncols > 256) // sanity check - don't run out of mem if color table is broken return false; image.setColorCount(ncols); } diff --git a/tests/auto/gui/image/qimagereader/images/corrupt_clut.bmp b/tests/auto/gui/image/qimagereader/images/corrupt_clut.bmp new file mode 100644 index 0000000000000000000000000000000000000000..aeb063fce5547720f174f19964f591fac6fa25e4 GIT binary patch literal 368 zcmZ?r)nZ~gs{b*0wi^q>R0jqI1`Z&WVq{=o1hRk>7z;A8fM`Z(28Nse8!BD)KqNRA z>gGNK@?Nk%chfQHeCSj(WoCV7$}UlFE|VQAlXme|TkUiCa>e}446#ZX{%cuMdF~E} zrmII^<;_s^JoUbF^QN}hm!BP-%Hz)3rfs}?>XiM zk~VLJ85o$D!7kAQxrh