gif image handler: check for out of range image size

Make the decoder fail early to avoid spending time and memory on attempting to decode a corrupt image file. Change-Id: Ic556d4fbcb6b542fc110d10e48dac1a880e60697 Reviewed-by: Lars Knoll <lars.knoll@qt.io> (cherry picked from commit 2b7b75f721b6786a6dc35e2f9b693bb2e2dfac01) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
author: Eirik Aavitsland <eirik.aavitsland@qt.io> 2020-05-27 12:50:26 +0200
committer: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> 2020-06-02 09:21:11 +0000
commit: 26dc7f012a62d3744f194650af6b15412ac864ae (patch)
tree: d39c18c5ea1ab20258ee2b64fcb49340de6282ca
parent: e1e032d08396f398a1b851077879cdae024f0f95 (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/src/plugins/imageformats/gif/qgifhandler.cpp b/src/plugins/imageformats/gif/qgifhandler.cpp
index 8d82bb15ca..c2b1c00d29 100644
--- a/src/plugins/imageformats/gif/qgifhandler.cpp
+++ b/src/plugins/imageformats/gif/qgifhandler.cpp
@@ -78,6 +78,10 @@ public:
 private:
     void fillRect(QImage *image, int x, int y, int w, int h, QRgb col);
     inline QRgb color(uchar index) const;
+    static bool withinSizeLimit(int width, int height)
+    {
+        return quint64(width) * height < 16384 * 16384; // Reject unreasonable header values
+    }
 
     // GIF specific stuff
     QRgb* globalcmap;
@@ -351,6 +355,10 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length,
 
                 QImage::Format format = trans_index >= 0 ? QImage::Format_ARGB32 : QImage::Format_RGB32;
                 if (image->isNull()) {
+                    if (!withinSizeLimit(swidth, sheight)) {
+                        state = Error;
+                        return -1;
+                    }
                     (*image) = QImage(swidth, sheight, format);
                     bpl = image->bytesPerLine();
                     bits = image->bits();
@@ -412,6 +420,11 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length,
 
                     if (backingstore.width() < w
                         || backingstore.height() < h) {
+
+                        if (!withinSizeLimit(w, h)) {
+                            state = Error;
+                            return -1;
+                        }
                         // We just use the backing store as a byte array
                         backingstore = QImage(qMax(backingstore.width(), w),
                                               qMax(backingstore.height(), h),
author	Eirik Aavitsland <eirik.aavitsland@qt.io>	2020-05-27 12:50:26 +0200
committer	Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>	2020-06-02 09:21:11 +0000
commit	26dc7f012a62d3744f194650af6b15412ac864ae (patch)
tree	d39c18c5ea1ab20258ee2b64fcb49340de6282ca
parent	e1e032d08396f398a1b851077879cdae024f0f95 (diff)