diff options
author | Eirik Aavitsland <eirik.aavitsland@qt.io> | 2020-09-18 14:55:32 +0200 |
---|---|---|
committer | Eirik Aavitsland <eirik.aavitsland@qt.io> | 2020-09-18 21:37:10 +0200 |
commit | f1c1f444811643acda66aaeb21a9e73a8e60e830 (patch) | |
tree | eb46cb28a331e85dc16fb352c8557ea768f3fe4c /src/plugins/imageformats/gif | |
parent | 2cbeacd2cd1a32fda5ef7705e270c71b2ed3c369 (diff) |
Gif decoder: fix read error caused by ub check
The recently added check to avoid negative-bitshift ub ignored that
the algorithm will sometimes use a negative bitcount value as a
flag. This caused reading failure for some frames.
Pick-to: 5.15 5.12
Fixes: QTBUG-86702
Change-Id: I4c247a7eb6102f9b51cc8ac708c60db80d609e38
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
Diffstat (limited to 'src/plugins/imageformats/gif')
-rw-r--r-- | src/plugins/imageformats/gif/qgifhandler.cpp | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/src/plugins/imageformats/gif/qgifhandler.cpp b/src/plugins/imageformats/gif/qgifhandler.cpp index 23a768e3d3..7ef0d076bb 100644 --- a/src/plugins/imageformats/gif/qgifhandler.cpp +++ b/src/plugins/imageformats/gif/qgifhandler.cpp @@ -492,12 +492,14 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length, break; case ImageDataBlock: count++; - if (bitcount < 0 || bitcount > 31) { - state = Error; - return -1; + if (bitcount != -32768) { + if (bitcount < 0 || bitcount > 31) { + state = Error; + return -1; + } + accum |= (ch << bitcount); + bitcount += 8; } - accum|=(ch<<bitcount); - bitcount+=8; while (bitcount>=code_size && state==ImageDataBlock) { int code=accum&((1<<code_size)-1); bitcount-=code_size; |