diff options
author | Eirik Aavitsland <eirik.aavitsland@qt.io> | 2021-03-02 16:57:15 +0100 |
---|---|---|
committer | Eirik Aavitsland <eirik.aavitsland@qt.io> | 2021-03-03 12:35:26 +0100 |
commit | 124d950b34a4b5f3bc7f1fa34336f882dbc3edc5 (patch) | |
tree | 8c63a1526bc8761e72ee712b62abde84d8c06366 /src | |
parent | fdf7f8f8c8e1c7b41a7315195efe876250ac9c35 (diff) |
Avoid scanline overflow when reading corrupt tiffs
Check that the actual scanlines to be read by libtiff are not
wider than expected.
This issue was reported by Samuel Groß and Natalie Silvanovich of
Google Project Zero.
Pick-to: 6.1 6.0 5.15 5.12
Change-Id: I2af818d5a3c57643747a7fbfac8bb934cd79efd7
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'src')
-rw-r--r-- | src/plugins/imageformats/tiff/qtiffhandler.cpp | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/plugins/imageformats/tiff/qtiffhandler.cpp b/src/plugins/imageformats/tiff/qtiffhandler.cpp index d9e5478..2f32b6d 100644 --- a/src/plugins/imageformats/tiff/qtiffhandler.cpp +++ b/src/plugins/imageformats/tiff/qtiffhandler.cpp @@ -453,6 +453,10 @@ bool QTiffHandler::read(QImage *image) } _TIFFfree(buf); } else { + if (image->bytesPerLine() < TIFFScanlineSize(tiff)) { + d->close(); + return false; + } for (uint32 y=0; y<height; ++y) { if (TIFFReadScanline(tiff, image->scanLine(y), y, 0) < 0) { d->close(); |