diff options
author | Eirik Aavitsland <eirik.aavitsland@theqtcompany.com> | 2016-02-02 14:06:28 +0100 |
---|---|---|
committer | Jani Heikkinen <jani.heikkinen@theqtcompany.com> | 2016-02-05 04:14:35 +0000 |
commit | e4f71b0cb5e52b4762c4c1d681eff08376e7bc0b (patch) | |
tree | 7251f6ea5fd0582a1d951a3378dc6bad89aba784 /src/gui/image/qbmphandler.cpp | |
parent | 786d23bb4966b6697ac04c43158e2312d898e133 (diff) |
Crash fix: reject certain malformed bmp images
A malformed bmp file header could specify a negative color table
size. The bmp handler would then return a QImage that claimed to be
valid, but actually was invalid, having an empty color table. This
would cause crash later, e.g. when attempting to paint it.
Change-Id: I7df7c40867557a82dbcee44c7de061226ff232c0
Reviewed-by: Lars Knoll <lars.knoll@theqtcompany.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
Diffstat (limited to 'src/gui/image/qbmphandler.cpp')
-rw-r--r-- | src/gui/image/qbmphandler.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp index ef12b23caa..27bab10196 100644 --- a/src/gui/image/qbmphandler.cpp +++ b/src/gui/image/qbmphandler.cpp @@ -294,7 +294,7 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int if (depth != 32) { ncols = bi.biClrUsed ? bi.biClrUsed : 1 << nbits; - if (ncols > 256) // sanity check - don't run out of mem if color table is broken + if (ncols < 1 || ncols > 256) // sanity check - don't run out of mem if color table is broken return false; image.setColorCount(ncols); } |