diff options
author | Eirik Aavitsland <eirik.aavitsland@qt.io> | 2019-01-14 11:30:36 +0100 |
---|---|---|
committer | Eirik Aavitsland <eirik.aavitsland@qt.io> | 2019-02-05 22:47:07 +0000 |
commit | e96641d881f2106151995c812fabb9d6c58beccb (patch) | |
tree | 21082abeb57927ee9086319c77a52ca4233e9a24 /src/gui/image | |
parent | 0736e050cb0f82ca445e954e1db631f1dd1de473 (diff) |
Fix xbm image format handler: properly reject invalid files
The read_xbm_header() function is used to check for valid file header,
containing valid width and height values. But in case of an invalid file,
the check could depend on uninitialized variables.
Change-Id: I9f933ed6e38d86109e5b5a8d55fe763ab928d749
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'src/gui/image')
-rw-r--r-- | src/gui/image/qxbmhandler.cpp | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/gui/image/qxbmhandler.cpp b/src/gui/image/qxbmhandler.cpp index 24d86e116d..7ba44049b4 100644 --- a/src/gui/image/qxbmhandler.cpp +++ b/src/gui/image/qxbmhandler.cpp @@ -97,6 +97,8 @@ static bool read_xbm_header(QIODevice *device, int& w, int& h) if (r1.indexIn(sbuf) == 0 && r2.indexIn(sbuf, r1.matchedLength()) == r1.matchedLength()) w = QByteArray(&buf[r1.matchedLength()]).trimmed().toInt(); + else + return false; // "#define .._height <num>" readBytes = device->readLine(buf, buflen); @@ -109,6 +111,8 @@ static bool read_xbm_header(QIODevice *device, int& w, int& h) if (r1.indexIn(sbuf) == 0 && r2.indexIn(sbuf, r1.matchedLength()) == r1.matchedLength()) h = QByteArray(&buf[r1.matchedLength()]).trimmed().toInt(); + else + return false; // format error if (w <= 0 || w > 32767 || h <= 0 || h > 32767) |