diff options
Diffstat (limited to 'src/plugins/imageformats/gif/qgifhandler.cpp')
-rw-r--r-- | src/plugins/imageformats/gif/qgifhandler.cpp | 118 |
1 files changed, 47 insertions, 71 deletions
diff --git a/src/plugins/imageformats/gif/qgifhandler.cpp b/src/plugins/imageformats/gif/qgifhandler.cpp index c92cc3ea61..8ad4ff7510 100644 --- a/src/plugins/imageformats/gif/qgifhandler.cpp +++ b/src/plugins/imageformats/gif/qgifhandler.cpp @@ -1,60 +1,21 @@ -/**************************************************************************** -** -** Copyright (C) 2016 The Qt Company Ltd. -** Contact: https://www.qt.io/licensing/ -** -** This file is part of the plugins of the Qt Toolkit. -** -** $QT_BEGIN_LICENSE:LGPL$ -** Commercial License Usage -** Licensees holding valid commercial Qt licenses may use this file in -** accordance with the commercial license agreement provided with the -** Software or, alternatively, in accordance with the terms contained in -** a written agreement between you and The Qt Company. For licensing terms -** and conditions see https://www.qt.io/terms-conditions. For further -** information use the contact form at https://www.qt.io/contact-us. -** -** GNU Lesser General Public License Usage -** Alternatively, this file may be used under the terms of the GNU Lesser -** General Public License version 3 as published by the Free Software -** Foundation and appearing in the file LICENSE.LGPL3 included in the -** packaging of this file. Please review the following information to -** ensure the GNU Lesser General Public License version 3 requirements -** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. -** -** GNU General Public License Usage -** Alternatively, this file may be used under the terms of the GNU -** General Public License version 2.0 or (at your option) the GNU General -** Public license version 3 or any later version approved by the KDE Free -** Qt Foundation. The licenses are as published by the Free Software -** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 -** included in the packaging of this file. Please review the following -** information to ensure the GNU General Public License requirements will -** be met: https://www.gnu.org/licenses/gpl-2.0.html and -** https://www.gnu.org/licenses/gpl-3.0.html. -** -** $QT_END_LICENSE$ -** -** WARNING: -** A separate license from Unisys may be required to use the gif -** reader. See http://www.unisys.com/about__unisys/lzw/ -** for information from Unisys -** -****************************************************************************/ +// Copyright (C) 2016 The Qt Company Ltd. +// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only #include "qgifhandler_p.h" #include <qimage.h> #include <qiodevice.h> +#include <qloggingcategory.h> #include <qvariant.h> QT_BEGIN_NAMESPACE +Q_LOGGING_CATEGORY(lcGif, "qt.gui.imageio.gif") + #define Q_TRANSPARENT 0x00ffffff // avoid going through QImage::scanLine() which calls detach -#define FAST_SCAN_LINE(bits, bpl, y) (bits + (y) * bpl) - +#define FAST_SCAN_LINE(bits, bpl, y) (bits + qptrdiff(y) * bpl) /* Incremental image decoder for GIF image format. @@ -70,7 +31,7 @@ public: int decode(QImage *image, const uchar* buffer, int length, int *nextFrameDelay, int *loopCount); - static void scan(QIODevice *device, QVector<QSize> *imageSizes, int *loopCount); + static void scan(QIODevice *device, QList<QSize> *imageSizes, int *loopCount); bool newFrame; bool partialNewFrame; @@ -78,6 +39,10 @@ public: private: void fillRect(QImage *image, int x, int y, int w, int h, QRgb col); inline QRgb color(uchar index) const; + static bool withinSizeLimit(int width, int height) + { + return quint64(width) * height < 16384 * 16384; // Reject unreasonable header values + } // GIF specific stuff QRgb* globalcmap; @@ -246,7 +211,7 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length, } image->detach(); - int bpl = image->bytesPerLine(); + qsizetype bpl = image->bytesPerLine(); unsigned char *bits = image->bits(); #define LM(l, m) (((m)<<8)|l) @@ -339,9 +304,9 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length, // disbelieve ridiculous logical screen sizes, // unless the image frames are also large. - if (swidth/10 > qMax(newwidth,200)) + if (swidth/10 > qMax(newwidth,16384)) swidth = -1; - if (sheight/10 > qMax(newheight,200)) + if (sheight/10 > qMax(newheight,16384)) sheight = -1; if (swidth <= 0) @@ -351,7 +316,14 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length, QImage::Format format = trans_index >= 0 ? QImage::Format_ARGB32 : QImage::Format_RGB32; if (image->isNull()) { - (*image) = QImage(swidth, sheight, format); + if (!withinSizeLimit(swidth, sheight)) { + state = Error; + return -1; + } + if (!QImageIOHandler::allocateImage(QSize(swidth, sheight), format, image)) { + state = Error; + return -1; + } bpl = image->bytesPerLine(); bits = image->bits(); if (bits) @@ -412,17 +384,21 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length, if (backingstore.width() < w || backingstore.height() < h) { + + if (!withinSizeLimit(w, h)) { + state = Error; + return -1; + } // We just use the backing store as a byte array - backingstore = QImage(qMax(backingstore.width(), w), - qMax(backingstore.height(), h), - QImage::Format_RGB32); - if (backingstore.isNull()) { + QSize bsSize(qMax(backingstore.width(), w), qMax(backingstore.height(), h)); + if (!QImageIOHandler::allocateImage(bsSize, QImage::Format_RGB32, + &backingstore)) { state = Error; return -1; } memset(backingstore.bits(), 0, backingstore.sizeInBytes()); } - const int dest_bpl = backingstore.bytesPerLine(); + const qsizetype dest_bpl = backingstore.bytesPerLine(); unsigned char *dest_data = backingstore.bits(); for (int ln=0; ln<h; ln++) { memcpy(FAST_SCAN_LINE(dest_data, dest_bpl, ln), @@ -478,8 +454,14 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length, break; case ImageDataBlock: count++; - accum|=(ch<<bitcount); - bitcount+=8; + if (bitcount != -32768) { + if (bitcount < 0 || bitcount > 31) { + state = Error; + return -1; + } + accum |= (ch << bitcount); + bitcount += 8; + } while (bitcount>=code_size && state==ImageDataBlock) { int code=accum&((1<<code_size)-1); bitcount-=code_size; @@ -629,7 +611,8 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length, count++; if (count==hold[0]+1) { disposePrevious(image); - disposal=Disposal((hold[1]>>2)&0x7); + uint dBits = (hold[1] >> 2) & 0x7; + disposal = (dBits <= RestoreImage) ? Disposal(dBits) : NoDisposal; //UNUSED: waitforuser=!!((hold[1]>>1)&0x1); int delay=count>3 ? LM(hold[2], hold[3]) : 1; // IE and mozilla use a minimum delay of 10. With the minimum delay of 10 @@ -669,9 +652,9 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length, /*! Scans through the data stream defined by \a device and returns the image - sizes found in the stream in the \a imageSizes vector. + sizes found in the stream in the \a imageSizes list. */ -void QGIFFormat::scan(QIODevice *device, QVector<QSize> *imageSizes, int *loopCount) +void QGIFFormat::scan(QIODevice *device, QList<QSize> *imageSizes, int *loopCount) { if (!device) return; @@ -1100,7 +1083,7 @@ bool QGifHandler::canRead() const bool QGifHandler::canRead(QIODevice *device) { if (!device) { - qWarning("QGifHandler::canRead() called with no device"); + qCWarning(lcGif, "QGifHandler::canRead() called with no device"); return false; } @@ -1163,9 +1146,9 @@ QVariant QGifHandler::option(ImageOption option) const } // before the first frame is read, or we have an empty data stream if (frameNumber == -1) - return (imageSizes.count() > 0) ? QVariant(imageSizes.at(0)) : QVariant(); + return (imageSizes.size() > 0) ? QVariant(imageSizes.at(0)) : QVariant(); // after the last frame has been read, the next size is undefined - if (frameNumber >= imageSizes.count() - 1) + if (frameNumber >= imageSizes.size() - 1) return QVariant(); // and the last case: the size of the next frame return imageSizes.at(frameNumber + 1); @@ -1192,7 +1175,7 @@ int QGifHandler::imageCount() const QGIFFormat::scan(device(), &imageSizes, &loopCnt); scanIsCached = true; } - return imageSizes.count(); + return imageSizes.size(); } int QGifHandler::loopCount() const @@ -1215,11 +1198,4 @@ int QGifHandler::currentImageNumber() const return frameNumber; } -#if QT_DEPRECATED_SINCE(5, 13) -QByteArray QGifHandler::name() const -{ - return "gif"; -} -#endif - QT_END_NAMESPACE |