Don't crash on broken GIF images

Broken GIF images could set invalid width and height values inside the image, leading to Qt creating a null QImage for it. In that case we need to abort decoding the image and return an error. Initial patch by Rich Moore. Task-number: QTBUG-38367 Change-Id: Id82a4036f478bd6e49c402d6598f57e7e5bb5e1e Security-advisory: CVE-2014-0190 Reviewed-by: Richard J. Moore <rich@kde.org>
2014-04-24 15:33:27 +02:00 · 2014-04-24 15:33:27 +02:00 · eb1325047f
commit eb1325047f
parent e57b521d95
1 changed files with 7 additions and 0 deletions
--- a/src/gui/image/qgifhandler.cpp
+++ b/src/gui/image/qgifhandler.cpp
@ -359,6 +359,13 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length,
                    memset(bits, 0, image->byteCount());
                }

+                // Check if the previous attempt to create the image failed. If it
+                // did then the image is broken and we should give up.
+                if (image->isNull()) {
+                    state = Error;
+                    return -1;
+                }
+
                disposePrevious(image);
                disposed = false;