QQuickSpriteEngine: avoid entering infinite loop in assembledImage()

Do not allow a frame size larger than the image size, otherwise
we would never leave "while (framesLeft > 0) {...}" as framesLeft is
never decremented because "copied/frameWidth" in the expression
"framesLeft -= copied/frameWidth;" always resolves to zero because
copied < frameWidth.

Task-number: QTBUG-53937
Change-Id: Ia777ec65d72562426b13533918efcaca5bcabdd7
Reviewed-by: Albert Astals Cid <albert.astals@canonical.com>
Reviewed-by: Shawn Rutledge <shawn.rutledge@qt.io>
Reviewed-by: Andy Nichols <andy.nichols@qt.io>

1 files changed, 9 insertions, 0 deletions

diff --git a/src/quick/items/qquickspriteengine.cpp b/src/quick/items/qquickspriteengine.cpp
index 243feef683..864f632e7c 100644
--- a/src/quick/items/qquickspriteengine.cpp
+++ b/src/quick/items/qquickspriteengine.cpp
@@ -399,6 +399,15 @@ QImage QQuickSpriteEngine::assembledImage()
 
         QImage img = state->m_pix.image();
 
+        {
+            const QSize frameSize(state->m_frameWidth, state->m_frameHeight);
+            if (!(img.size() - frameSize).isValid()) {
+                qmlInfo(state).nospace() << "SpriteEngine: Invalid frame size " << frameSize << "."
+                                            " It's bigger than image size " << img.size() << ".";
+                return QImage();
+            }
+        }
+
         //Check that the frame sizes are the same within one sprite
         if (!state->m_frameWidth)
             state->m_frameWidth = img.width() / state->frames();