diff options
author | Eirik Aavitsland <eirik.aavitsland@qt.io> | 2020-05-27 12:50:26 +0200 |
---|---|---|
committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2020-06-02 09:21:11 +0000 |
commit | 26dc7f012a62d3744f194650af6b15412ac864ae (patch) | |
tree | d39c18c5ea1ab20258ee2b64fcb49340de6282ca /src/plugins | |
parent | e1e032d08396f398a1b851077879cdae024f0f95 (diff) |
gif image handler: check for out of range image size
Make the decoder fail early to avoid spending time and memory on
attempting to decode a corrupt image file.
Change-Id: Ic556d4fbcb6b542fc110d10e48dac1a880e60697
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
(cherry picked from commit 2b7b75f721b6786a6dc35e2f9b693bb2e2dfac01)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
Diffstat (limited to 'src/plugins')
-rw-r--r-- | src/plugins/imageformats/gif/qgifhandler.cpp | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/src/plugins/imageformats/gif/qgifhandler.cpp b/src/plugins/imageformats/gif/qgifhandler.cpp index 8d82bb15ca..c2b1c00d29 100644 --- a/src/plugins/imageformats/gif/qgifhandler.cpp +++ b/src/plugins/imageformats/gif/qgifhandler.cpp @@ -78,6 +78,10 @@ public: private: void fillRect(QImage *image, int x, int y, int w, int h, QRgb col); inline QRgb color(uchar index) const; + static bool withinSizeLimit(int width, int height) + { + return quint64(width) * height < 16384 * 16384; // Reject unreasonable header values + } // GIF specific stuff QRgb* globalcmap; @@ -351,6 +355,10 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length, QImage::Format format = trans_index >= 0 ? QImage::Format_ARGB32 : QImage::Format_RGB32; if (image->isNull()) { + if (!withinSizeLimit(swidth, sheight)) { + state = Error; + return -1; + } (*image) = QImage(swidth, sheight, format); bpl = image->bytesPerLine(); bits = image->bits(); @@ -412,6 +420,11 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length, if (backingstore.width() < w || backingstore.height() < h) { + + if (!withinSizeLimit(w, h)) { + state = Error; + return -1; + } // We just use the backing store as a byte array backingstore = QImage(qMax(backingstore.width(), w), qMax(backingstore.height(), h), |