summaryrefslogtreecommitdiffstats
path: root/src/plugins/imageformats/gif/qgifhandler.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'src/plugins/imageformats/gif/qgifhandler.cpp')
-rw-r--r--src/plugins/imageformats/gif/qgifhandler.cpp13
1 files changed, 13 insertions, 0 deletions
diff --git a/src/plugins/imageformats/gif/qgifhandler.cpp b/src/plugins/imageformats/gif/qgifhandler.cpp
index c0af900656..f7dc8e481f 100644
--- a/src/plugins/imageformats/gif/qgifhandler.cpp
+++ b/src/plugins/imageformats/gif/qgifhandler.cpp
@@ -78,6 +78,10 @@ public:
private:
void fillRect(QImage *image, int x, int y, int w, int h, QRgb col);
inline QRgb color(uchar index) const;
+ static bool withinSizeLimit(int width, int height)
+ {
+ return quint64(width) * height < 16384 * 16384; // Reject unreasonable header values
+ }
// GIF specific stuff
QRgb* globalcmap;
@@ -351,6 +355,10 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length,
QImage::Format format = trans_index >= 0 ? QImage::Format_ARGB32 : QImage::Format_RGB32;
if (image->isNull()) {
+ if (!withinSizeLimit(swidth, sheight)) {
+ state = Error;
+ return -1;
+ }
(*image) = QImage(swidth, sheight, format);
bpl = image->bytesPerLine();
bits = image->bits();
@@ -412,6 +420,11 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length,
if (backingstore.width() < w
|| backingstore.height() < h) {
+
+ if (!withinSizeLimit(w, h)) {
+ state = Error;
+ return -1;
+ }
// We just use the backing store as a byte array
backingstore = QImage(qMax(backingstore.width(), w),
qMax(backingstore.height(), h),
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-26 11:45:06 +0000