From 421aa422af2f6b147ad076ad1736b3747abc4317 Mon Sep 17 00:00:00 2001 From: Eirik Aavitsland Date: Wed, 25 May 2016 10:27:51 +0200 Subject: Really fix crash on certain malformed bmp images This is an improvement of e4f71b0c. By using the QImageReader::read() overload taking a QImage pointer, and ignoring the return value, one could still end up with a corrupt QImage object. Avoid the subsequent crashes by closing that hole. Change-Id: I5dca10e4808ac3365e3ddba6689edecb7444948f Reviewed-by: Allan Sandfeld Jensen Reviewed-by: Lars Knoll Reviewed-by: Richard J. Moore --- src/gui/image/qbmphandler.cpp | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp index 27bab10196..bb238d3eb3 100644 --- a/src/gui/image/qbmphandler.cpp +++ b/src/gui/image/qbmphandler.cpp @@ -283,6 +283,12 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int format = QImage::Format_Mono; } + if (depth != 32) { + ncols = bi.biClrUsed ? bi.biClrUsed : 1 << nbits; + if (ncols < 1 || ncols > 256) // sanity check - don't run out of mem if color table is broken + return false; + } + if (bi.biHeight < 0) h = -h; // support images with negative height @@ -290,19 +296,15 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int image = QImage(w, h, format); if (image.isNull()) // could not create image return false; - } - - if (depth != 32) { - ncols = bi.biClrUsed ? bi.biClrUsed : 1 << nbits; - if (ncols < 1 || ncols > 256) // sanity check - don't run out of mem if color table is broken - return false; - image.setColorCount(ncols); + if (ncols) + image.setColorCount(ncols); // Ensure valid QImage } image.setDotsPerMeterX(bi.biXPelsPerMeter); image.setDotsPerMeterY(bi.biYPelsPerMeter); if (ncols > 0) { // read color table + image.setColorCount(ncols); uchar rgb[4]; int rgb_len = t == BMP_OLD ? 3 : 4; for (int i=0; i