Crash fix: reject certain malformed bmp images

A malformed bmp file header could specify a negative color table size. The bmp handler would then return a QImage that claimed to be valid, but actually was invalid, having an empty color table. This would cause crash later, e.g. when attempting to paint it. Change-Id: I7df7c40867557a82dbcee44c7de061226ff232c0 Reviewed-by: Lars Knoll <lars.knoll@theqtcompany.com> Reviewed-by: Richard J. Moore <rich@kde.org>
author: Eirik Aavitsland <eirik.aavitsland@theqtcompany.com> 2016-02-02 14:06:28 +0100
committer: Jani Heikkinen <jani.heikkinen@theqtcompany.com> 2016-02-05 04:14:35 +0000
commit: e4f71b0cb5e52b4762c4c1d681eff08376e7bc0b (patch)
tree: 7251f6ea5fd0582a1d951a3378dc6bad89aba784 /src
parent: 786d23bb4966b6697ac04c43158e2312d898e133 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
index ef12b23caa..27bab10196 100644
--- a/src/gui/image/qbmphandler.cpp
+++ b/src/gui/image/qbmphandler.cpp
@@ -294,7 +294,7 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
 
     if (depth != 32) {
         ncols = bi.biClrUsed ? bi.biClrUsed : 1 << nbits;
-        if (ncols > 256) // sanity check - don't run out of mem if color table is broken
+        if (ncols < 1 || ncols > 256) // sanity check - don't run out of mem if color table is broken
             return false;
         image.setColorCount(ncols);
     }
author	Eirik Aavitsland <eirik.aavitsland@theqtcompany.com>	2016-02-02 14:06:28 +0100
committer	Jani Heikkinen <jani.heikkinen@theqtcompany.com>	2016-02-05 04:14:35 +0000
commit	e4f71b0cb5e52b4762c4c1d681eff08376e7bc0b (patch)
tree	7251f6ea5fd0582a1d951a3378dc6bad89aba784 /src
parent	786d23bb4966b6697ac04c43158e2312d898e133 (diff)