gif image handler: check for out of range image size

Make the decoder fail early to avoid spending time and memory on attempting to decode a corrupt image file. Pick-to: 5.15 5.12 5.9 Change-Id: Ic556d4fbcb6b542fc110d10e48dac1a880e60697 Reviewed-by: Lars Knoll <lars.knoll@qt.io>
author: Eirik Aavitsland <eirik.aavitsland@qt.io> 2020-05-27 12:50:26 +0200
committer: Eirik Aavitsland <eirik.aavitsland@qt.io> 2020-05-30 15:37:12 +0200
commit: 2b7b75f721b6786a6dc35e2f9b693bb2e2dfac01 (patch)
tree: 50aa49d4000f73615834593c515b89eb672717a5 /src/plugins
parent: f71a400bf613d725b3bce959757b184593efc920 (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/src/plugins/imageformats/gif/qgifhandler.cpp b/src/plugins/imageformats/gif/qgifhandler.cpp
index c0af900656..f7dc8e481f 100644
--- a/src/plugins/imageformats/gif/qgifhandler.cpp
+++ b/src/plugins/imageformats/gif/qgifhandler.cpp
@@ -78,6 +78,10 @@ public:
 private:
     void fillRect(QImage *image, int x, int y, int w, int h, QRgb col);
     inline QRgb color(uchar index) const;
+    static bool withinSizeLimit(int width, int height)
+    {
+        return quint64(width) * height < 16384 * 16384; // Reject unreasonable header values
+    }
 
     // GIF specific stuff
     QRgb* globalcmap;
@@ -351,6 +355,10 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length,
 
                 QImage::Format format = trans_index >= 0 ? QImage::Format_ARGB32 : QImage::Format_RGB32;
                 if (image->isNull()) {
+                    if (!withinSizeLimit(swidth, sheight)) {
+                        state = Error;
+                        return -1;
+                    }
                     (*image) = QImage(swidth, sheight, format);
                     bpl = image->bytesPerLine();
                     bits = image->bits();
@@ -412,6 +420,11 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length,
 
                     if (backingstore.width() < w
                         || backingstore.height() < h) {
+
+                        if (!withinSizeLimit(w, h)) {
+                            state = Error;
+                            return -1;
+                        }
                         // We just use the backing store as a byte array
                         backingstore = QImage(qMax(backingstore.width(), w),
                                               qMax(backingstore.height(), h),
author	Eirik Aavitsland <eirik.aavitsland@qt.io>	2020-05-27 12:50:26 +0200
committer	Eirik Aavitsland <eirik.aavitsland@qt.io>	2020-05-30 15:37:12 +0200
commit	2b7b75f721b6786a6dc35e2f9b693bb2e2dfac01 (patch)
tree	50aa49d4000f73615834593c515b89eb672717a5 /src/plugins
parent	f71a400bf613d725b3bce959757b184593efc920 (diff)