diff options
author | Eirik Aavitsland <eirik.aavitsland@theqtcompany.com> | 2015-03-11 13:34:01 +0100 |
---|---|---|
committer | aavit <eirik.aavitsland@theqtcompany.com> | 2015-03-13 09:07:41 +0000 |
commit | 51ec7ebfe5f45d1c0a03d992e97053cac66e25fe (patch) | |
tree | 1964f0a21221e055d2c2f62d7785ff3255c7a8c3 | |
parent | d3048a29797ee2d80d84bbda26bb3c954584f332 (diff) |
Fixes crash in bmp and ico image decoding
Fuzzing test revealed that for certain malformed bmp and ico files,
the handler would segfault.
Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
-rw-r--r-- | src/gui/image/qbmphandler.cpp | 13 | ||||
-rw-r--r-- | src/plugins/imageformats/ico/qicohandler.cpp | 2 |
2 files changed, 8 insertions, 7 deletions
diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp index df664994d6..8acc593c16 100644 --- a/src/gui/image/qbmphandler.cpp +++ b/src/gui/image/qbmphandler.cpp @@ -484,12 +484,6 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int p = data + (h-y-1)*bpl; break; case 2: // delta (jump) - // Protection - if ((uint)x >= (uint)w) - x = w-1; - if ((uint)y >= (uint)h) - y = h-1; - { quint8 tmp; d->getChar((char *)&tmp); @@ -497,6 +491,13 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int d->getChar((char *)&tmp); y += tmp; } + + // Protection + if ((uint)x >= (uint)w) + x = w-1; + if ((uint)y >= (uint)h) + y = h-1; + p = data + (h-y-1)*bpl + x; break; default: // absolute mode diff --git a/src/plugins/imageformats/ico/qicohandler.cpp b/src/plugins/imageformats/ico/qicohandler.cpp index 00de0c80ad..ec1654ec58 100644 --- a/src/plugins/imageformats/ico/qicohandler.cpp +++ b/src/plugins/imageformats/ico/qicohandler.cpp @@ -567,7 +567,7 @@ QImage ICOReader::iconAt(int index) QImage::Format format = QImage::Format_ARGB32; if (icoAttrib.nbits == 24) format = QImage::Format_RGB32; - else if (icoAttrib.ncolors == 2) + else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1) format = QImage::Format_Mono; else if (icoAttrib.ncolors > 0) format = QImage::Format_Indexed8; |