From 6f909a5178296855cdd53b053ced9c551a2474a6 Mon Sep 17 00:00:00 2001
From: Eirik Aavitsland <eirik.aavitsland@qt.io>
Date: Mon, 15 Jun 2020 15:57:05 +0200
Subject: Avoid potential ub in corrupt bmp file

biHeight may be int_min, in which case qAbs<int>() will not work.

Fixes: oss-fuzz-22997
Pick-to: 5.15 5.12
Change-Id: Ic07d5aa0b4e4f2b6395e1a12d742e31b5282fdfc
Reviewed-by: Robert Loehning <robert.loehning@qt.io>
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
---
 src/gui/image/qbmphandler.cpp | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src/gui/image')

diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
index 715bbd11ec..74df9820e4 100644
--- a/src/gui/image/qbmphandler.cpp
+++ b/src/gui/image/qbmphandler.cpp
@@ -188,6 +188,8 @@ static bool read_dib_infoheader(QDataStream &s, BMP_INFOHDR &bi)
     if (!(comp == BMP_RGB || (nbits == 4 && comp == BMP_RLE4) ||
         (nbits == 8 && comp == BMP_RLE8) || ((nbits == 16 || nbits == 32) && comp == BMP_BITFIELDS)))
          return false;                                // weird compression type
+    if (bi.biHeight == INT_MIN)
+        return false; // out of range for positive int
     if (bi.biWidth <= 0 || !bi.biHeight || quint64(bi.biWidth) * qAbs(bi.biHeight) > 16384 * 16384)
         return false;
 
-- 
cgit v1.2.3