diff options
author | Robert Löhning <robert.loehning@qt.io> | 2022-02-25 20:26:59 +0100 |
---|---|---|
committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2022-03-02 14:06:24 +0000 |
commit | 1383ee98464aac30df0d585ff12975035a58b9d7 (patch) | |
tree | c4423b0f5a719ab9150f8d4233aff3b0bf4b6280 | |
parent | 58cf75e375676b12e3d22f5d8ff20835d9d22bc8 (diff) |
png/ico decoder: Don't try reading beyond the file
This fixes oss-fuzz issue 44955.
Change-Id: Ie74ae037630f83e64fd0678ff2eac579f35d02b8
Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
(cherry picked from commit 27fae7207fabc5bd5e34beab0cfeedfc8b8ede78)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
-rw-r--r-- | src/plugins/imageformats/ico/qicohandler.cpp | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/plugins/imageformats/ico/qicohandler.cpp b/src/plugins/imageformats/ico/qicohandler.cpp index a3fe9d740c..e1811e861d 100644 --- a/src/plugins/imageformats/ico/qicohandler.cpp +++ b/src/plugins/imageformats/ico/qicohandler.cpp @@ -1,6 +1,6 @@ /**************************************************************************** ** -** Copyright (C) 2016 The Qt Company Ltd. +** Copyright (C) 2022 The Qt Company Ltd. ** Contact: https://www.qt.io/licensing/ ** ** This file is part of the plugins of the Qt Toolkit. @@ -466,7 +466,9 @@ QImage ICOReader::iconAt(int index) static const uchar pngMagicData[] = { 137, 80, 78, 71, 13, 10, 26, 10 }; - iod->seek(iconEntry.dwImageOffset); + if (!iod->seek(iconEntry.dwImageOffset) + || iconEntry.dwBytesInRes > iod->bytesAvailable()) + return img; const QByteArray pngMagic = QByteArray::fromRawData((const char*)pngMagicData, sizeof(pngMagicData)); const bool isPngImage = (iod->read(pngMagic.size()) == pngMagic); |