bmp image handler: check for out of range image size

Make the decoder fail early to avoid spending time and memory on attempting to decode a corrupt image file. Change-Id: I874e04f3b43122d73f8e58c7a5bcc4a741b68264 Reviewed-by: Lars Knoll <lars.knoll@qt.io> (cherry picked from commit 621ab8ab59901cc3f9bd98be709929c9eac997a8) Reviewed-by: Liang Qi <liang.qi@qt.io> (cherry picked from commit 5104a529ce5aea5e94101770ece188b98f20baaa)
author: Eirik Aavitsland <eirik.aavitsland@qt.io> 2018-09-04 11:08:06 +0200
committer: Liang Qi <liang.qi@qt.io> 2018-09-26 09:11:14 +0000
commit: c9b9f663d7243988bcb5fee9180ea9cb3a321a86 (patch)
tree: 1a7d85721b1667ccbd3ffa3c3d8874c0cc60c4e0
parent: 91c83d842c54180f98b23a1cf8878b9d7a22f1b2 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
index bb238d3eb3..2e4c4109b2 100644
--- a/src/gui/image/qbmphandler.cpp
+++ b/src/gui/image/qbmphandler.cpp
@@ -173,6 +173,8 @@ static bool read_dib_infoheader(QDataStream &s, BMP_INFOHDR &bi)
     if (!(comp == BMP_RGB || (nbits == 4 && comp == BMP_RLE4) ||
         (nbits == 8 && comp == BMP_RLE8) || ((nbits == 16 || nbits == 32) && comp == BMP_BITFIELDS)))
          return false;                                // weird compression type
+    if (bi.biWidth < 0 || quint64(bi.biWidth) * qAbs(bi.biHeight) > 16384 * 16384)
+        return false;
 
     return true;
 }
author	Eirik Aavitsland <eirik.aavitsland@qt.io>	2018-09-04 11:08:06 +0200
committer	Liang Qi <liang.qi@qt.io>	2018-09-26 09:11:14 +0000
commit	c9b9f663d7243988bcb5fee9180ea9cb3a321a86 (patch)
tree	1a7d85721b1667ccbd3ffa3c3d8874c0cc60c4e0
parent	91c83d842c54180f98b23a1cf8878b9d7a22f1b2 (diff)