diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2020-05-18 13:51:09 +0200 |
|---|---|---|
| committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2020-05-18 14:09:00 +0000 |
| commit | 1a790ba6151a3128b49d3dc556d3373dbda9f9d1 (patch) | |
| tree | a1defeeff05e2971abfe9ffaa740d654eecb4acd | |
| parent | ec15f82b67b851d9dc789cc292c662a988100534 (diff) | |
Fix UB in webp decode and memory leak in encoder
Ensure the ICC block is aligned before parsing and clear the writer
after we have initialized it.
Fixes: QTBUG-84267
Change-Id: I7e16ee7663dbe404b4819769deab7d9c9b6c8f20
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
(cherry picked from commit b761ff58d6d7b0604d88d6bd332b4470044ffe6a)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
| -rw-r--r-- | src/plugins/imageformats/webp/qwebphandler.cpp | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/src/plugins/imageformats/webp/qwebphandler.cpp b/src/plugins/imageformats/webp/qwebphandler.cpp index c1898d0..82d38cb 100644 --- a/src/plugins/imageformats/webp/qwebphandler.cpp +++ b/src/plugins/imageformats/webp/qwebphandler.cpp @@ -167,8 +167,11 @@ bool QWebpHandler::read(QImage *image) // Read global meta-data chunks first WebPChunkIterator metaDataIter; if ((m_formatFlags & ICCP_FLAG) && WebPDemuxGetChunk(m_demuxer, "ICCP", 1, &metaDataIter)) { - const QByteArray iccProfile = QByteArray::fromRawData(reinterpret_cast<const char *>(metaDataIter.chunk.bytes), - metaDataIter.chunk.size); + QByteArray iccProfile = QByteArray::fromRawData(reinterpret_cast<const char *>(metaDataIter.chunk.bytes), + metaDataIter.chunk.size); + // Ensure the profile is 4-byte aligned. + if (reinterpret_cast<qintptr>(iccProfile.constData()) & 0x3) + iccProfile.detach(); m_colorSpace = QColorSpace::fromIccProfile(iccProfile); // ### consider parsing EXIF and/or XMP metadata too. WebPDemuxReleaseChunkIterator(&metaDataIter); @@ -288,6 +291,7 @@ bool QWebpHandler::write(const QImage &image) if (!WebPEncode(&config, &picture)) { qWarning() << "failed to encode webp picture, error code: " << picture.error_code; WebPPictureFree(&picture); + WebPMemoryWriterClear(&writer); return false; } @@ -336,6 +340,7 @@ bool QWebpHandler::write(const QImage &image) static_cast<size_t>(device()->write(reinterpret_cast<const char *>(writer.mem), writer.size))); } WebPPictureFree(&picture); + WebPMemoryWriterClear(&writer); return res; } |