From e4f71b0cb5e52b4762c4c1d681eff08376e7bc0b Mon Sep 17 00:00:00 2001
From: Eirik Aavitsland <eirik.aavitsland@theqtcompany.com>
Date: Tue, 2 Feb 2016 14:06:28 +0100
Subject: Crash fix: reject certain malformed bmp images

A malformed bmp file header could specify a negative color table
size. The bmp handler would then return a QImage that claimed to be
valid, but actually was invalid, having an empty color table. This
would cause crash later, e.g. when attempting to paint it.

Change-Id: I7df7c40867557a82dbcee44c7de061226ff232c0
Reviewed-by: Lars Knoll <lars.knoll@theqtcompany.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
---
 src/gui/image/qbmphandler.cpp                             |   2 +-
 tests/auto/gui/image/qimagereader/images/corrupt_clut.bmp | Bin 0 -> 368 bytes
 tests/auto/gui/image/qimagereader/tst_qimagereader.cpp    |   1 +
 3 files changed, 2 insertions(+), 1 deletion(-)
 create mode 100644 tests/auto/gui/image/qimagereader/images/corrupt_clut.bmp

diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
index ef12b23caa..27bab10196 100644
--- a/src/gui/image/qbmphandler.cpp
+++ b/src/gui/image/qbmphandler.cpp
@@ -294,7 +294,7 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
 
     if (depth != 32) {
         ncols = bi.biClrUsed ? bi.biClrUsed : 1 << nbits;
-        if (ncols > 256) // sanity check - don't run out of mem if color table is broken
+        if (ncols < 1 || ncols > 256) // sanity check - don't run out of mem if color table is broken
             return false;
         image.setColorCount(ncols);
     }
diff --git a/tests/auto/gui/image/qimagereader/images/corrupt_clut.bmp b/tests/auto/gui/image/qimagereader/images/corrupt_clut.bmp
new file mode 100644
index 0000000000..aeb063fce5
Binary files /dev/null and b/tests/auto/gui/image/qimagereader/images/corrupt_clut.bmp differ
diff --git a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
index 86dd8c4daf..ff15dc5b6d 100644
--- a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
+++ b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
@@ -1482,6 +1482,7 @@ void tst_QImageReader::readCorruptImage_data()
     QTest::newRow("corrupt gif") << QString("corrupt.gif") << true << QString("") << QByteArray("gif");
     QTest::newRow("corrupt png") << QString("corrupt.png") << true << QString("") << QByteArray("png");
     QTest::newRow("corrupt bmp") << QString("corrupt.bmp") << true << QString("") << QByteArray("bmp");
+    QTest::newRow("corrupt bmp (clut)") << QString("corrupt_clut.bmp") << true << QString("") << QByteArray("bmp");
     QTest::newRow("corrupt xpm (colors)") << QString("corrupt-colors.xpm") << true
                                           << QString("QImage: XPM color specification is missing: bla9an.n#x")
                                           << QByteArray("xpm");
-- 
cgit v1.2.3