Avoid scanline overflow when reading corrupt tiffs

Check that the actual scanlines to be read by libtiff are not wider than expected. This issue was reported by Samuel Groß and Natalie Silvanovich of Google Project Zero. Change-Id: I2af818d5a3c57643747a7fbfac8bb934cd79efd7 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> (cherry picked from commit 124d950b34a4b5f3bc7f1fa34336f882dbc3edc5) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
author: Eirik Aavitsland <eirik.aavitsland@qt.io> 2021-03-02 16:57:15 +0100
committer: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> 2021-03-03 14:16:47 +0000
commit: 40da7331d6d818ec96604feaf978c8e6e828da7f (patch)
tree: 8ba91cc7a4e0fc78e6524653f5f1affda57c1951
parent: 769e8f527e5d5f2a034dd0edfc1831b503bf7950 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/src/plugins/imageformats/tiff/qtiffhandler.cpp b/src/plugins/imageformats/tiff/qtiffhandler.cpp
index 34b2bb7..807792d 100644
--- a/src/plugins/imageformats/tiff/qtiffhandler.cpp
+++ b/src/plugins/imageformats/tiff/qtiffhandler.cpp
@@ -453,6 +453,10 @@ bool QTiffHandler::read(QImage *image)
             }
             _TIFFfree(buf);
         } else {
+            if (image->bytesPerLine() < TIFFScanlineSize(tiff)) {
+                d->close();
+                return false;
+            }
             for (uint32 y=0; y<height; ++y) {
                 if (TIFFReadScanline(tiff, image->scanLine(y), y, 0) < 0) {
                     d->close();
author	Eirik Aavitsland <eirik.aavitsland@qt.io>	2021-03-02 16:57:15 +0100
committer	Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>	2021-03-03 14:16:47 +0000
commit	40da7331d6d818ec96604feaf978c8e6e828da7f (patch)
tree	8ba91cc7a4e0fc78e6524653f5f1affda57c1951
parent	769e8f527e5d5f2a034dd0edfc1831b503bf7950 (diff)