Avoid scanline overflow when reading corrupt tiffsv5.12.11

Check that the actual scanlines to be read by libtiff are not wider than expected. This issue was reported by Samuel Groß and Natalie Silvanovich of Google Project Zero. Change-Id: I2af818d5a3c57643747a7fbfac8bb934cd79efd7 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> (cherry picked from commit 124d950b34a4b5f3bc7f1fa34336f882dbc3edc5) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
author: Eirik Aavitsland <eirik.aavitsland@qt.io> 2021-03-02 16:57:15 +0100
committer: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> 2021-03-03 13:31:47 +0000
commit: 25341cf53dfa36c83b74c125c260c72d2477ba5d (patch)
tree: 76e7ff05167f0204e69b6448301ba434ea262e70
parent: 7addba23d17b7c29a9a8247699fc3f0617d8e6c4 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/src/plugins/imageformats/tiff/qtiffhandler.cpp b/src/plugins/imageformats/tiff/qtiffhandler.cpp
index 9107425..2df5152 100644
--- a/src/plugins/imageformats/tiff/qtiffhandler.cpp
+++ b/src/plugins/imageformats/tiff/qtiffhandler.cpp
@@ -442,6 +442,10 @@ bool QTiffHandler::read(QImage *image)
             }
             _TIFFfree(buf);
         } else {
+            if (image->bytesPerLine() < TIFFScanlineSize(tiff)) {
+                d->close();
+                return false;
+            }
             for (uint32 y=0; y<height; ++y) {
                 if (TIFFReadScanline(tiff, image->scanLine(y), y, 0) < 0) {
                     d->close();
author	Eirik Aavitsland <eirik.aavitsland@qt.io>	2021-03-02 16:57:15 +0100
committer	Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>	2021-03-03 13:31:47 +0000
commit	25341cf53dfa36c83b74c125c260c72d2477ba5d (patch)
tree	76e7ff05167f0204e69b6448301ba434ea262e70
parent	7addba23d17b7c29a9a8247699fc3f0617d8e6c4 (diff)