diff options
author | Eirik Aavitsland <eirik.aavitsland@qt.io> | 2020-06-04 17:03:53 +0200 |
---|---|---|
committer | Eirik Aavitsland <eirik.aavitsland@qt.io> | 2020-06-09 00:35:38 +0200 |
commit | 8edf11d51059b2ecb42dbf45f037d88e5b2beab6 (patch) | |
tree | dd3d4e3c9a69fb4d928a1ee88e84d8fe04147b97 /src/plugins/imageformats/gif | |
parent | bb4402af2b2233100f9ca4a853af34b46cc60ffd (diff) |
Gif decoder: Harden handling of corrupt files
Fix potential UB for corrupt files.
Pick-to: 5.15 5.12
Change-Id: If5d1b859a03b09e3479a6a7adaaf3432958126b4
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
Diffstat (limited to 'src/plugins/imageformats/gif')
-rw-r--r-- | src/plugins/imageformats/gif/qgifhandler.cpp | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/src/plugins/imageformats/gif/qgifhandler.cpp b/src/plugins/imageformats/gif/qgifhandler.cpp index f7dc8e481f..078d3d596d 100644 --- a/src/plugins/imageformats/gif/qgifhandler.cpp +++ b/src/plugins/imageformats/gif/qgifhandler.cpp @@ -53,8 +53,7 @@ QT_BEGIN_NAMESPACE #define Q_TRANSPARENT 0x00ffffff // avoid going through QImage::scanLine() which calls detach -#define FAST_SCAN_LINE(bits, bpl, y) (bits + (y) * bpl) - +#define FAST_SCAN_LINE(bits, bpl, y) (bits + qptrdiff(y) * bpl) /* Incremental image decoder for GIF image format. @@ -491,6 +490,10 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length, break; case ImageDataBlock: count++; + if (bitcount < 0 || bitcount > 31) { + state = Error; + return -1; + } accum|=(ch<<bitcount); bitcount+=8; while (bitcount>=code_size && state==ImageDataBlock) { |