Really fix crash on certain malformed bmp images

This is an improvement of e4f71b0c. By using the QImageReader::read() overload taking a QImage pointer, and ignoring the return value, one could still end up with a corrupt QImage object. Avoid the subsequent crashes by closing that hole. Change-Id: I5dca10e4808ac3365e3ddba6689edecb7444948f Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> Reviewed-by: Lars Knoll <lars.knoll@theqtcompany.com> Reviewed-by: Richard J. Moore <rich@kde.org>
author: Eirik Aavitsland <eirik.aavitsland@qt.io> 2016-05-25 10:27:51 +0200
committer: Jani Heikkinen <jani.heikkinen@qt.io> 2016-05-25 15:46:04 +0000
commit: 421aa422af2f6b147ad076ad1736b3747abc4317 (patch)
tree: 4472e550d5924142d60d4bc1d0918d7fb757397e
parent: d6905b2ada509cbe2322f65b862af3b99b79b792 (diff)
1 files changed, 9 insertions, 7 deletions
diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
index 27bab10196..bb238d3eb3 100644
--- a/src/gui/image/qbmphandler.cpp
+++ b/src/gui/image/qbmphandler.cpp
@@ -283,6 +283,12 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
             format = QImage::Format_Mono;
     }
 
+    if (depth != 32) {
+        ncols = bi.biClrUsed ? bi.biClrUsed : 1 << nbits;
+        if (ncols < 1 || ncols > 256) // sanity check - don't run out of mem if color table is broken
+            return false;
+    }
+
     if (bi.biHeight < 0)
         h = -h;                  // support images with negative height
 
@@ -290,19 +296,15 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
         image = QImage(w, h, format);
         if (image.isNull())                        // could not create image
             return false;
-    }
-
-    if (depth != 32) {
-        ncols = bi.biClrUsed ? bi.biClrUsed : 1 << nbits;
-        if (ncols < 1 || ncols > 256) // sanity check - don't run out of mem if color table is broken
-            return false;
-        image.setColorCount(ncols);
+        if (ncols)
+            image.setColorCount(ncols);            // Ensure valid QImage
     }
 
     image.setDotsPerMeterX(bi.biXPelsPerMeter);
     image.setDotsPerMeterY(bi.biYPelsPerMeter);
 
     if (ncols > 0) {                                // read color table
+        image.setColorCount(ncols);
         uchar rgb[4];
         int   rgb_len = t == BMP_OLD ? 3 : 4;
         for (int i=0; i<ncols; i++) {
author	Eirik Aavitsland <eirik.aavitsland@qt.io>	2016-05-25 10:27:51 +0200
committer	Jani Heikkinen <jani.heikkinen@qt.io>	2016-05-25 15:46:04 +0000
commit	421aa422af2f6b147ad076ad1736b3747abc4317 (patch)
tree	4472e550d5924142d60d4bc1d0918d7fb757397e
parent	d6905b2ada509cbe2322f65b862af3b99b79b792 (diff)