1 files changed, 47 insertions, 71 deletions
diff --git a/src/plugins/imageformats/gif/qgifhandler.cpp b/src/plugins/imageformats/gif/qgifhandler.cpp
index c92cc3ea61..8ad4ff7510 100644
--- a/src/plugins/imageformats/gif/qgifhandler.cpp
+++ b/src/plugins/imageformats/gif/qgifhandler.cpp
@@ -1,60 +1,21 @@
-/****************************************************************************
-**
-** Copyright (C) 2016 The Qt Company Ltd.
-** Contact: https://www.qt.io/licensing/
-**
-** This file is part of the plugins of the Qt Toolkit.
-**
-** $QT_BEGIN_LICENSE:LGPL$
-** Commercial License Usage
-** Licensees holding valid commercial Qt licenses may use this file in
-** accordance with the commercial license agreement provided with the
-** Software or, alternatively, in accordance with the terms contained in
-** a written agreement between you and The Qt Company. For licensing terms
-** and conditions see https://www.qt.io/terms-conditions. For further
-** information use the contact form at https://www.qt.io/contact-us.
-**
-** GNU Lesser General Public License Usage
-** Alternatively, this file may be used under the terms of the GNU Lesser
-** General Public License version 3 as published by the Free Software
-** Foundation and appearing in the file LICENSE.LGPL3 included in the
-** packaging of this file. Please review the following information to
-** ensure the GNU Lesser General Public License version 3 requirements
-** will be met: https://www.gnu.org/licenses/lgpl-3.0.html.
-**
-** GNU General Public License Usage
-** Alternatively, this file may be used under the terms of the GNU
-** General Public License version 2.0 or (at your option) the GNU General
-** Public license version 3 or any later version approved by the KDE Free
-** Qt Foundation. The licenses are as published by the Free Software
-** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3
-** included in the packaging of this file. Please review the following
-** information to ensure the GNU General Public License requirements will
-** be met: https://www.gnu.org/licenses/gpl-2.0.html and
-** https://www.gnu.org/licenses/gpl-3.0.html.
-**
-** $QT_END_LICENSE$
-**
-** WARNING:
-**      A separate license from Unisys may be required to use the gif
-**      reader. See http://www.unisys.com/about__unisys/lzw/
-**      for information from Unisys
-**
-****************************************************************************/
+// Copyright (C) 2016 The Qt Company Ltd.
+// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
 
 #include "qgifhandler_p.h"
 
 #include <qimage.h>
 #include <qiodevice.h>
+#include <qloggingcategory.h>
 #include <qvariant.h>
 
 QT_BEGIN_NAMESPACE
 
+Q_LOGGING_CATEGORY(lcGif, "qt.gui.imageio.gif")
+
 #define Q_TRANSPARENT 0x00ffffff
 
 // avoid going through QImage::scanLine() which calls detach
-#define FAST_SCAN_LINE(bits, bpl, y) (bits + (y) * bpl)
-
+#define FAST_SCAN_LINE(bits, bpl, y) (bits + qptrdiff(y) * bpl)
 
 /*
   Incremental image decoder for GIF image format.
@@ -70,7 +31,7 @@ public:
 
     int decode(QImage *image, const uchar* buffer, int length,
                int *nextFrameDelay, int *loopCount);
-    static void scan(QIODevice *device, QVector<QSize> *imageSizes, int *loopCount);
+    static void scan(QIODevice *device, QList<QSize> *imageSizes, int *loopCount);
 
     bool newFrame;
     bool partialNewFrame;
@@ -78,6 +39,10 @@ public:
 private:
     void fillRect(QImage *image, int x, int y, int w, int h, QRgb col);
     inline QRgb color(uchar index) const;
+    static bool withinSizeLimit(int width, int height)
+    {
+        return quint64(width) * height < 16384 * 16384; // Reject unreasonable header values
+    }
 
     // GIF specific stuff
     QRgb* globalcmap;
@@ -246,7 +211,7 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length,
     }
 
     image->detach();
-    int bpl = image->bytesPerLine();
+    qsizetype bpl = image->bytesPerLine();
     unsigned char *bits = image->bits();
 
 #define LM(l, m) (((m)<<8)|l)
@@ -339,9 +304,9 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length,
 
                 // disbelieve ridiculous logical screen sizes,
                 // unless the image frames are also large.
-                if (swidth/10 > qMax(newwidth,200))
+                if (swidth/10 > qMax(newwidth,16384))
                     swidth = -1;
-                if (sheight/10 > qMax(newheight,200))
+                if (sheight/10 > qMax(newheight,16384))
                     sheight = -1;
 
                 if (swidth <= 0)
@@ -351,7 +316,14 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length,
 
                 QImage::Format format = trans_index >= 0 ? QImage::Format_ARGB32 : QImage::Format_RGB32;
                 if (image->isNull()) {
-                    (*image) = QImage(swidth, sheight, format);
+                    if (!withinSizeLimit(swidth, sheight)) {
+                        state = Error;
+                        return -1;
+                    }
+                    if (!QImageIOHandler::allocateImage(QSize(swidth, sheight), format, image)) {
+                        state = Error;
+                        return -1;
+                    }
                     bpl = image->bytesPerLine();
                     bits = image->bits();
                     if (bits)
@@ -412,17 +384,21 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length,
 
                     if (backingstore.width() < w
                         || backingstore.height() < h) {
+
+                        if (!withinSizeLimit(w, h)) {
+                            state = Error;
+                            return -1;
+                        }
                         // We just use the backing store as a byte array
-                        backingstore = QImage(qMax(backingstore.width(), w),
-                                              qMax(backingstore.height(), h),
-                                              QImage::Format_RGB32);
-                        if (backingstore.isNull()) {
+                        QSize bsSize(qMax(backingstore.width(), w), qMax(backingstore.height(), h));
+                        if (!QImageIOHandler::allocateImage(bsSize, QImage::Format_RGB32,
+                                                            &backingstore)) {
                             state = Error;
                             return -1;
                         }
                         memset(backingstore.bits(), 0, backingstore.sizeInBytes());
                     }
-                    const int dest_bpl = backingstore.bytesPerLine();
+                    const qsizetype dest_bpl = backingstore.bytesPerLine();
                     unsigned char *dest_data = backingstore.bits();
                     for (int ln=0; ln<h; ln++) {
                         memcpy(FAST_SCAN_LINE(dest_data, dest_bpl, ln),
@@ -478,8 +454,14 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length,
             break;
           case ImageDataBlock:
             count++;
-            accum|=(ch<<bitcount);
-            bitcount+=8;
+            if (bitcount != -32768) {
+                if (bitcount < 0 || bitcount > 31) {
+                    state = Error;
+                    return -1;
+                }
+                accum |= (ch << bitcount);
+                bitcount += 8;
+            }
             while (bitcount>=code_size && state==ImageDataBlock) {
                 int code=accum&((1<<code_size)-1);
                 bitcount-=code_size;
@@ -629,7 +611,8 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length,
             count++;
             if (count==hold[0]+1) {
                 disposePrevious(image);
-                disposal=Disposal((hold[1]>>2)&0x7);
+                uint dBits = (hold[1] >> 2) & 0x7;
+                disposal = (dBits <= RestoreImage) ? Disposal(dBits) : NoDisposal;
                 //UNUSED: waitforuser=!!((hold[1]>>1)&0x1);
                 int delay=count>3 ? LM(hold[2], hold[3]) : 1;
                 // IE and mozilla use a minimum delay of 10. With the minimum delay of 10
@@ -669,9 +652,9 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length,
 
 /*!
    Scans through the data stream defined by \a device and returns the image
-   sizes found in the stream in the \a imageSizes vector.
+   sizes found in the stream in the \a imageSizes list.
 */
-void QGIFFormat::scan(QIODevice *device, QVector<QSize> *imageSizes, int *loopCount)
+void QGIFFormat::scan(QIODevice *device, QList<QSize> *imageSizes, int *loopCount)
 {
     if (!device)
         return;
@@ -1100,7 +1083,7 @@ bool QGifHandler::canRead() const
 bool QGifHandler::canRead(QIODevice *device)
 {
     if (!device) {
-        qWarning("QGifHandler::canRead() called with no device");
+        qCWarning(lcGif, "QGifHandler::canRead() called with no device");
         return false;
     }
 
@@ -1163,9 +1146,9 @@ QVariant QGifHandler::option(ImageOption option) const
         }
         // before the first frame is read, or we have an empty data stream
         if (frameNumber == -1)
-            return (imageSizes.count() > 0) ? QVariant(imageSizes.at(0)) : QVariant();
+            return (imageSizes.size() > 0) ? QVariant(imageSizes.at(0)) : QVariant();
         // after the last frame has been read, the next size is undefined
-        if (frameNumber >= imageSizes.count() - 1)
+        if (frameNumber >= imageSizes.size() - 1)
             return QVariant();
         // and the last case: the size of the next frame
         return imageSizes.at(frameNumber + 1);
@@ -1192,7 +1175,7 @@ int QGifHandler::imageCount() const
         QGIFFormat::scan(device(), &imageSizes, &loopCnt);
         scanIsCached = true;
     }
-    return imageSizes.count();
+    return imageSizes.size();
 }
 
 int QGifHandler::loopCount() const
@@ -1215,11 +1198,4 @@ int QGifHandler::currentImageNumber() const
     return frameNumber;
 }
 
-#if QT_DEPRECATED_SINCE(5, 13)
-QByteArray QGifHandler::name() const
-{
-    return "gif";
-}
-#endif
-
 QT_END_NAMESPACE