Avoid potential ub in corrupt bmp file

biHeight may be int_min, in which case qAbs<int>() will not work. Fixes: oss-fuzz-22997 Change-Id: Ic07d5aa0b4e4f2b6395e1a12d742e31b5282fdfc Reviewed-by: Robert Loehning <robert.loehning@qt.io> Reviewed-by: Lars Knoll <lars.knoll@qt.io> (cherry picked from commit 6f909a5178296855cdd53b053ced9c551a2474a6) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
author: Eirik Aavitsland <eirik.aavitsland@qt.io> 2020-06-15 15:57:05 +0200
committer: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> 2020-09-10 06:58:16 +0000
commit: 12994284f443d9d4c2c86fd453ce6154b8da401f (patch)
tree: 851cb56dba6e42395424208a95c719516d0b3683
parent: 3d697e4a452adb56425099b335b197bb65a7ed51 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
index 396bb1964e..9075a518f9 100644
--- a/src/gui/image/qbmphandler.cpp
+++ b/src/gui/image/qbmphandler.cpp
@@ -188,6 +188,8 @@ static bool read_dib_infoheader(QDataStream &s, BMP_INFOHDR &bi)
     if (!(comp == BMP_RGB || (nbits == 4 && comp == BMP_RLE4) ||
         (nbits == 8 && comp == BMP_RLE8) || ((nbits == 16 || nbits == 32) && comp == BMP_BITFIELDS)))
          return false;                                // weird compression type
+    if (bi.biHeight == INT_MIN)
+        return false; // out of range for positive int
     if (bi.biWidth <= 0 || !bi.biHeight || quint64(bi.biWidth) * qAbs(bi.biHeight) > 16384 * 16384)
         return false;
author	Eirik Aavitsland <eirik.aavitsland@qt.io>	2020-06-15 15:57:05 +0200
committer	Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>	2020-09-10 06:58:16 +0000
commit	12994284f443d9d4c2c86fd453ce6154b8da401f (patch)
tree	851cb56dba6e42395424208a95c719516d0b3683
parent	3d697e4a452adb56425099b335b197bb65a7ed51 (diff)