diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2020-05-18 13:51:09 +0200 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2020-05-18 13:14:22 +0000 |
| commit | b761ff58d6d7b0604d88d6bd332b4470044ffe6a (patch) | |
| tree | 3b9aefecc5371121f1287d817696038b750f3c33 /src/plugins/imageformats/webp/qwebphandler.cpp | |
| parent | c75f5c0acfff3435b38a2ee96eabacf0c3feae94 (diff) | |
Fix UB in webp decode and memory leak in encoder
Ensure the ICC block is aligned before parsing and clear the writer
after we have initialized it.
Fixes: QTBUG-84267
Pick-to: 5.15
Change-Id: I7e16ee7663dbe404b4819769deab7d9c9b6c8f20
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
Diffstat (limited to 'src/plugins/imageformats/webp/qwebphandler.cpp')
| -rw-r--r-- | src/plugins/imageformats/webp/qwebphandler.cpp | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/src/plugins/imageformats/webp/qwebphandler.cpp b/src/plugins/imageformats/webp/qwebphandler.cpp index c1898d0..82d38cb 100644 --- a/src/plugins/imageformats/webp/qwebphandler.cpp +++ b/src/plugins/imageformats/webp/qwebphandler.cpp @@ -167,8 +167,11 @@ bool QWebpHandler::read(QImage *image) // Read global meta-data chunks first WebPChunkIterator metaDataIter; if ((m_formatFlags & ICCP_FLAG) && WebPDemuxGetChunk(m_demuxer, "ICCP", 1, &metaDataIter)) { - const QByteArray iccProfile = QByteArray::fromRawData(reinterpret_cast<const char *>(metaDataIter.chunk.bytes), - metaDataIter.chunk.size); + QByteArray iccProfile = QByteArray::fromRawData(reinterpret_cast<const char *>(metaDataIter.chunk.bytes), + metaDataIter.chunk.size); + // Ensure the profile is 4-byte aligned. + if (reinterpret_cast<qintptr>(iccProfile.constData()) & 0x3) + iccProfile.detach(); m_colorSpace = QColorSpace::fromIccProfile(iccProfile); // ### consider parsing EXIF and/or XMP metadata too. WebPDemuxReleaseChunkIterator(&metaDataIter); @@ -288,6 +291,7 @@ bool QWebpHandler::write(const QImage &image) if (!WebPEncode(&config, &picture)) { qWarning() << "failed to encode webp picture, error code: " << picture.error_code; WebPPictureFree(&picture); + WebPMemoryWriterClear(&writer); return false; } @@ -336,6 +340,7 @@ bool QWebpHandler::write(const QImage &image) static_cast<size_t>(device()->write(reinterpret_cast<const char *>(writer.mem), writer.size))); } WebPPictureFree(&picture); + WebPMemoryWriterClear(&writer); return res; } |