Add safety checks to ktx parser

Task-number: QT3DS-3186
Change-Id: I214bd7e4b501b2db4b3b9f1e82adf943ba63a300
Reviewed-by: Antti Määttä <antti.maatta@qt.io>
Reviewed-by: Miikka Heikkinen <miikka.heikkinen@qt.io>

1 files changed, 7 insertions, 1 deletions

diff --git a/src/runtime/q3dsimageloaders_p.h b/src/runtime/q3dsimageloaders_p.h
index a1e2459..2904300 100644
--- a/src/runtime/q3dsimageloaders_p.h
+++ b/src/runtime/q3dsimageloaders_p.h
@@ -915,6 +915,7 @@ inline QVector<Qt3DRender::QTextureImageDataPtr> q3ds_loadKtx(QIODevice *source)
         return result;
     }
 
+    const int rawDataSize = rawData.size();
     const char *basep = rawData.constData();
     const char *p = basep;
     const int level0Width = decode(header.pixelWidth);
@@ -945,11 +946,16 @@ inline QVector<Qt3DRender::QTextureImageDataPtr> q3ds_loadKtx(QIODevice *source)
     }
 
     for (int mip = 0; mip < mipMapLevels; ++mip) {
+        if (p + 4 - basep > rawDataSize)
+            break;
         int imageSize = *reinterpret_cast<const quint32 *>(p);
         p += 4;
         for (int face = 0; face < faceCount; ++face) {
+            const int nextOffset = p + imageSize - basep;
+            if (nextOffset > rawDataSize)
+                break;
             result << createImageData(QByteArray(p, imageSize), mip);
-            p = basep + q3ds_alignedOffset(p + imageSize - basep, 4);
+            p = basep + q3ds_alignedOffset(nextOffset, 4);
         }
     }