Avoid potential ub in corrupt bmp file

biHeight may be int_min, in which case qAbs<int>() will not work. Fixes: oss-fuzz-22997 Change-Id: Ic07d5aa0b4e4f2b6395e1a12d742e31b5282fdfc Reviewed-by: Robert Loehning <robert.loehning@qt.io> Reviewed-by: Lars Knoll <lars.knoll@qt.io> (cherry picked from commit 6f909a5178296855cdd53b053ced9c551a2474a6) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
author: Eirik Aavitsland <eirik.aavitsland@qt.io> 2020-06-15 15:57:05 +0200
committer: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> 2020-08-07 08:42:45 +0000
commit: 13d3f361e2381136532d8abee23622a14de24624 (patch)
tree: c9c22c7e599e28cde9f415eef3dc2c4f2e599953 /src/gui
parent: 6565afdb1d3f10df5bca3e8e951e68e9bfb0cb0f (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
index 69aae6856c..96f1e8cb1d 100644
--- a/src/gui/image/qbmphandler.cpp
+++ b/src/gui/image/qbmphandler.cpp
@@ -188,6 +188,8 @@ static bool read_dib_infoheader(QDataStream &s, BMP_INFOHDR &bi)
     if (!(comp == BMP_RGB || (nbits == 4 && comp == BMP_RLE4) ||
         (nbits == 8 && comp == BMP_RLE8) || ((nbits == 16 || nbits == 32) && comp == BMP_BITFIELDS)))
          return false;                                // weird compression type
+    if (bi.biHeight == INT_MIN)
+        return false; // out of range for positive int
     if (bi.biWidth <= 0 || !bi.biHeight || quint64(bi.biWidth) * qAbs(bi.biHeight) > 16384 * 16384)
         return false;
author	Eirik Aavitsland <eirik.aavitsland@qt.io>	2020-06-15 15:57:05 +0200
committer	Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>	2020-08-07 08:42:45 +0000
commit	13d3f361e2381136532d8abee23622a14de24624 (patch)
tree	c9c22c7e599e28cde9f415eef3dc2c4f2e599953 /src/gui
parent	6565afdb1d3f10df5bca3e8e951e68e9bfb0cb0f (diff)