From 509bc7e59c69937900cf258e64889a6e88edbcf0 Mon Sep 17 00:00:00 2001
From: Eirik Aavitsland <eirik.aavitsland@theqtcompany.com>
Date: Tue, 3 Mar 2015 09:39:22 +0100
Subject: Fix another crash when converting format of buffer-created QImage

This continues 68762151dbf45fbb44e140ac2ad13dbe8d357352

When doing format conversion, the optimized inplace codepath did not
check if the image data was external, i.e. if the QImage had been
created by the constructor taking an existing external buffer.

The previous commit fixed the readonly case. But in the case of the
QImage constructor taking non-const uchar*, data will be read-write,
but still external. This would of course crash if the converter tries
to realloc it.

Task-number: QTBUG-44610
Change-Id: I94d275d464e8af221682b538fc3e4897a59c061e
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@theqtcompany.com>
---
 src/gui/image/qimage_conversions.cpp | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'src/gui/image')

diff --git a/src/gui/image/qimage_conversions.cpp b/src/gui/image/qimage_conversions.cpp
index b2681f4261..bd40d0d4fc 100644
--- a/src/gui/image/qimage_conversions.cpp
+++ b/src/gui/image/qimage_conversions.cpp
@@ -716,6 +716,8 @@ static bool convert_BGR30_to_RGB30_inplace(QImageData *data, Qt::ImageConversion
 static bool convert_indexed8_to_ARGB_PM_inplace(QImageData *data, Qt::ImageConversionFlags)
 {
     Q_ASSERT(data->format == QImage::Format_Indexed8);
+    if (!data->own_data)
+        return false;
     const int depth = 32;
 
     const int dst_bytes_per_line = ((data->width * depth + 31) >> 5) << 2;
@@ -768,6 +770,8 @@ static bool convert_indexed8_to_ARGB_PM_inplace(QImageData *data, Qt::ImageConve
 static bool convert_indexed8_to_RGB_inplace(QImageData *data, Qt::ImageConversionFlags)
 {
     Q_ASSERT(data->format == QImage::Format_Indexed8);
+    if (!data->own_data)
+        return false;
     const int depth = 32;
 
     const int dst_bytes_per_line = ((data->width * depth + 31) >> 5) << 2;
@@ -817,6 +821,8 @@ static bool convert_indexed8_to_RGB_inplace(QImageData *data, Qt::ImageConversio
 static bool convert_indexed8_to_RGB16_inplace(QImageData *data, Qt::ImageConversionFlags)
 {
     Q_ASSERT(data->format == QImage::Format_Indexed8);
+    if (!data->own_data)
+        return false;
     const int depth = 16;
 
     const int dst_bytes_per_line = ((data->width * depth + 31) >> 5) << 2;
@@ -872,6 +878,8 @@ static bool convert_indexed8_to_RGB16_inplace(QImageData *data, Qt::ImageConvers
 static bool convert_RGB_to_RGB16_inplace(QImageData *data, Qt::ImageConversionFlags)
 {
     Q_ASSERT(data->format == QImage::Format_RGB32);
+    if (!data->own_data)
+        return false;
     const int depth = 16;
 
     const int dst_bytes_per_line = ((data->width * depth + 31) >> 5) << 2;
-- 
cgit v1.2.3


From d3048a29797ee2d80d84bbda26bb3c954584f332 Mon Sep 17 00:00:00 2001
From: Eirik Aavitsland <eirik.aavitsland@theqtcompany.com>
Date: Wed, 11 Mar 2015 09:00:41 +0100
Subject: Fixes crash in gif image decoder

Fuzzing test revealed that for certain malformed gif files,
qgifhandler would segfault.

Change-Id: I5bb6f60e1c61849e0d8c735edc3869945e5331c1
Reviewed-by: Richard J. Moore <rich@kde.org>
---
 src/gui/image/qgifhandler.cpp | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src/gui/image')

diff --git a/src/gui/image/qgifhandler.cpp b/src/gui/image/qgifhandler.cpp
index 03e46ab578..8d8c4aef7d 100644
--- a/src/gui/image/qgifhandler.cpp
+++ b/src/gui/image/qgifhandler.cpp
@@ -936,6 +936,8 @@ void QGIFFormat::fillRect(QImage *image, int col, int row, int w, int h, QRgb co
 
 void QGIFFormat::nextY(unsigned char *bits, int bpl)
 {
+    if (out_of_bounds)
+        return;
     int my;
     switch (interlace) {
     case 0: // Non-interlaced
-- 
cgit v1.2.3


From 51ec7ebfe5f45d1c0a03d992e97053cac66e25fe Mon Sep 17 00:00:00 2001
From: Eirik Aavitsland <eirik.aavitsland@theqtcompany.com>
Date: Wed, 11 Mar 2015 13:34:01 +0100
Subject: Fixes crash in bmp and ico image decoding

Fuzzing test revealed that for certain malformed bmp and ico files,
the handler would segfault.

Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
---
 src/gui/image/qbmphandler.cpp | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

(limited to 'src/gui/image')

diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
index df664994d6..8acc593c16 100644
--- a/src/gui/image/qbmphandler.cpp
+++ b/src/gui/image/qbmphandler.cpp
@@ -484,12 +484,6 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
                             p = data + (h-y-1)*bpl;
                             break;
                         case 2:                        // delta (jump)
-                            // Protection
-                            if ((uint)x >= (uint)w)
-                                x = w-1;
-                            if ((uint)y >= (uint)h)
-                                y = h-1;
-
                             {
                                 quint8 tmp;
                                 d->getChar((char *)&tmp);
@@ -497,6 +491,13 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
                                 d->getChar((char *)&tmp);
                                 y += tmp;
                             }
+
+                            // Protection
+                            if ((uint)x >= (uint)w)
+                                x = w-1;
+                            if ((uint)y >= (uint)h)
+                                y = h-1;
+
                             p = data + (h-y-1)*bpl + x;
                             break;
                         default:                // absolute mode
-- 
cgit v1.2.3