diff options
author | Eirik Aavitsland <eirik.aavitsland@qt.io> | 2016-05-25 10:27:51 +0200 |
---|---|---|
committer | Jani Heikkinen <jani.heikkinen@qt.io> | 2016-05-25 15:46:04 +0000 |
commit | 421aa422af2f6b147ad076ad1736b3747abc4317 (patch) | |
tree | 4472e550d5924142d60d4bc1d0918d7fb757397e | |
parent | d6905b2ada509cbe2322f65b862af3b99b79b792 (diff) |
Really fix crash on certain malformed bmp images
This is an improvement of e4f71b0c. By using the QImageReader::read()
overload taking a QImage pointer, and ignoring the return value,
one could still end up with a corrupt QImage object.
Avoid the subsequent crashes by closing that hole.
Change-Id: I5dca10e4808ac3365e3ddba6689edecb7444948f
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Lars Knoll <lars.knoll@theqtcompany.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
-rw-r--r-- | src/gui/image/qbmphandler.cpp | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp index 27bab10196..bb238d3eb3 100644 --- a/src/gui/image/qbmphandler.cpp +++ b/src/gui/image/qbmphandler.cpp @@ -283,6 +283,12 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int format = QImage::Format_Mono; } + if (depth != 32) { + ncols = bi.biClrUsed ? bi.biClrUsed : 1 << nbits; + if (ncols < 1 || ncols > 256) // sanity check - don't run out of mem if color table is broken + return false; + } + if (bi.biHeight < 0) h = -h; // support images with negative height @@ -290,19 +296,15 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int image = QImage(w, h, format); if (image.isNull()) // could not create image return false; - } - - if (depth != 32) { - ncols = bi.biClrUsed ? bi.biClrUsed : 1 << nbits; - if (ncols < 1 || ncols > 256) // sanity check - don't run out of mem if color table is broken - return false; - image.setColorCount(ncols); + if (ncols) + image.setColorCount(ncols); // Ensure valid QImage } image.setDotsPerMeterX(bi.biXPelsPerMeter); image.setDotsPerMeterY(bi.biYPelsPerMeter); if (ncols > 0) { // read color table + image.setColorCount(ncols); uchar rgb[4]; int rgb_len = t == BMP_OLD ? 3 : 4; for (int i=0; i<ncols; i++) { |