summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRobert Löhning <robert.loehning@qt.io>2022-02-25 20:26:59 +0100
committerQt Cherry-pick Bot <cherrypick_bot@qt-project.org>2022-03-02 14:06:24 +0000
commit1383ee98464aac30df0d585ff12975035a58b9d7 (patch)
treec4423b0f5a719ab9150f8d4233aff3b0bf4b6280
parent58cf75e375676b12e3d22f5d8ff20835d9d22bc8 (diff)
png/ico decoder: Don't try reading beyond the file
This fixes oss-fuzz issue 44955. Change-Id: Ie74ae037630f83e64fd0678ff2eac579f35d02b8 Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org> Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io> (cherry picked from commit 27fae7207fabc5bd5e34beab0cfeedfc8b8ede78) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
Diffstat
-rw-r--r--src/plugins/imageformats/ico/qicohandler.cpp6
1 files changed, 4 insertions, 2 deletions
diff --git a/src/plugins/imageformats/ico/qicohandler.cpp b/src/plugins/imageformats/ico/qicohandler.cpp
index a3fe9d740c..e1811e861d 100644
--- a/src/plugins/imageformats/ico/qicohandler.cpp
+++ b/src/plugins/imageformats/ico/qicohandler.cpp
@@ -1,6 +1,6 @@
/****************************************************************************
**
-** Copyright (C) 2016 The Qt Company Ltd.
+** Copyright (C) 2022 The Qt Company Ltd.
** Contact: https://www.qt.io/licensing/
**
** This file is part of the plugins of the Qt Toolkit.
@@ -466,7 +466,9 @@ QImage ICOReader::iconAt(int index)
static const uchar pngMagicData[] = { 137, 80, 78, 71, 13, 10, 26, 10 };
- iod->seek(iconEntry.dwImageOffset);
+ if (!iod->seek(iconEntry.dwImageOffset)
+ || iconEntry.dwBytesInRes > iod->bytesAvailable())
+ return img;
const QByteArray pngMagic = QByteArray::fromRawData((const char*)pngMagicData, sizeof(pngMagicData));
const bool isPngImage = (iod->read(pngMagic.size()) == pngMagic);
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-08 09:30:41 +0000