From 2b7b75f721b6786a6dc35e2f9b693bb2e2dfac01 Mon Sep 17 00:00:00 2001 From: Eirik Aavitsland Date: Wed, 27 May 2020 12:50:26 +0200 Subject: gif image handler: check for out of range image size Make the decoder fail early to avoid spending time and memory on attempting to decode a corrupt image file. Pick-to: 5.15 5.12 5.9 Change-Id: Ic556d4fbcb6b542fc110d10e48dac1a880e60697 Reviewed-by: Lars Knoll --- src/plugins/imageformats/gif/qgifhandler.cpp | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'src/plugins') diff --git a/src/plugins/imageformats/gif/qgifhandler.cpp b/src/plugins/imageformats/gif/qgifhandler.cpp index c0af900656..f7dc8e481f 100644 --- a/src/plugins/imageformats/gif/qgifhandler.cpp +++ b/src/plugins/imageformats/gif/qgifhandler.cpp @@ -78,6 +78,10 @@ public: private: void fillRect(QImage *image, int x, int y, int w, int h, QRgb col); inline QRgb color(uchar index) const; + static bool withinSizeLimit(int width, int height) + { + return quint64(width) * height < 16384 * 16384; // Reject unreasonable header values + } // GIF specific stuff QRgb* globalcmap; @@ -351,6 +355,10 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length, QImage::Format format = trans_index >= 0 ? QImage::Format_ARGB32 : QImage::Format_RGB32; if (image->isNull()) { + if (!withinSizeLimit(swidth, sheight)) { + state = Error; + return -1; + } (*image) = QImage(swidth, sheight, format); bpl = image->bytesPerLine(); bits = image->bits(); @@ -412,6 +420,11 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length, if (backingstore.width() < w || backingstore.height() < h) { + + if (!withinSizeLimit(w, h)) { + state = Error; + return -1; + } // We just use the backing store as a byte array backingstore = QImage(qMax(backingstore.width(), w), qMax(backingstore.height(), h), -- cgit v1.2.3