Gif decoder: Harden handling of corrupt files

Fix potential UB for corrupt files. Change-Id: If5d1b859a03b09e3479a6a7adaaf3432958126b4 Reviewed-by: Lars Knoll <lars.knoll@qt.io> (cherry picked from commit 8edf11d51059b2ecb42dbf45f037d88e5b2beab6) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
author: Eirik Aavitsland <eirik.aavitsland@qt.io> 2020-06-04 17:03:53 +0200
committer: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> 2020-06-09 02:21:26 +0000
commit: 66cc65b92b19af2fd214f03b1b39dd3f5a8838d8 (patch)
tree: 80b9b9606e3b0c7da5736ba735701cf735979316
parent: e54112b46747ada712f902c2e08aaadfe97c238f (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/src/plugins/imageformats/gif/qgifhandler.cpp b/src/plugins/imageformats/gif/qgifhandler.cpp
index c2b1c00d29..e7bd16a5fb 100644
--- a/src/plugins/imageformats/gif/qgifhandler.cpp
+++ b/src/plugins/imageformats/gif/qgifhandler.cpp
@@ -53,8 +53,7 @@ QT_BEGIN_NAMESPACE
 #define Q_TRANSPARENT 0x00ffffff
 
 // avoid going through QImage::scanLine() which calls detach
-#define FAST_SCAN_LINE(bits, bpl, y) (bits + (y) * bpl)
-
+#define FAST_SCAN_LINE(bits, bpl, y) (bits + qptrdiff(y) * bpl)
 
 /*
   Incremental image decoder for GIF image format.
@@ -491,6 +490,10 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length,
             break;
           case ImageDataBlock:
             count++;
+            if (bitcount < 0 || bitcount > 31) {
+                state = Error;
+                return -1;
+            }
             accum|=(ch<<bitcount);
             bitcount+=8;
             while (bitcount>=code_size && state==ImageDataBlock) {
author	Eirik Aavitsland <eirik.aavitsland@qt.io>	2020-06-04 17:03:53 +0200
committer	Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>	2020-06-09 02:21:26 +0000
commit	66cc65b92b19af2fd214f03b1b39dd3f5a8838d8 (patch)
tree	80b9b9606e3b0c7da5736ba735701cf735979316
parent	e54112b46747ada712f902c2e08aaadfe97c238f (diff)