diff options
author | Eirik Aavitsland <eirik.aavitsland@qt.io> | 2021-03-02 16:57:15 +0100 |
---|---|---|
committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2021-03-03 13:31:47 +0000 |
commit | 25341cf53dfa36c83b74c125c260c72d2477ba5d (patch) | |
tree | 76e7ff05167f0204e69b6448301ba434ea262e70 | |
parent | 7addba23d17b7c29a9a8247699fc3f0617d8e6c4 (diff) |
Avoid scanline overflow when reading corrupt tiffsv5.12.11
Check that the actual scanlines to be read by libtiff are not
wider than expected.
This issue was reported by Samuel Groß and Natalie Silvanovich of
Google Project Zero.
Change-Id: I2af818d5a3c57643747a7fbfac8bb934cd79efd7
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
(cherry picked from commit 124d950b34a4b5f3bc7f1fa34336f882dbc3edc5)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
-rw-r--r-- | src/plugins/imageformats/tiff/qtiffhandler.cpp | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/plugins/imageformats/tiff/qtiffhandler.cpp b/src/plugins/imageformats/tiff/qtiffhandler.cpp index 9107425..2df5152 100644 --- a/src/plugins/imageformats/tiff/qtiffhandler.cpp +++ b/src/plugins/imageformats/tiff/qtiffhandler.cpp @@ -442,6 +442,10 @@ bool QTiffHandler::read(QImage *image) } _TIFFfree(buf); } else { + if (image->bytesPerLine() < TIFFScanlineSize(tiff)) { + d->close(); + return false; + } for (uint32 y=0; y<height; ++y) { if (TIFFReadScanline(tiff, image->scanLine(y), y, 0) < 0) { d->close(); |