From 1a790ba6151a3128b49d3dc556d3373dbda9f9d1 Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Mon, 18 May 2020 13:51:09 +0200
Subject: Fix UB in webp decode and memory leak in encoder

Ensure the ICC block is aligned before parsing and clear the writer
after we have initialized it.

Fixes: QTBUG-84267
Change-Id: I7e16ee7663dbe404b4819769deab7d9c9b6c8f20
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
(cherry picked from commit b761ff58d6d7b0604d88d6bd332b4470044ffe6a)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/plugins/imageformats/webp/qwebphandler.cpp | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/plugins/imageformats/webp/qwebphandler.cpp b/src/plugins/imageformats/webp/qwebphandler.cpp
index c1898d0..82d38cb 100644
--- a/src/plugins/imageformats/webp/qwebphandler.cpp
+++ b/src/plugins/imageformats/webp/qwebphandler.cpp
@@ -167,8 +167,11 @@ bool QWebpHandler::read(QImage *image)
         // Read global meta-data chunks first
         WebPChunkIterator metaDataIter;
         if ((m_formatFlags & ICCP_FLAG) && WebPDemuxGetChunk(m_demuxer, "ICCP", 1, &metaDataIter)) {
-            const QByteArray iccProfile = QByteArray::fromRawData(reinterpret_cast<const char *>(metaDataIter.chunk.bytes),
-                                                                  metaDataIter.chunk.size);
+            QByteArray iccProfile = QByteArray::fromRawData(reinterpret_cast<const char *>(metaDataIter.chunk.bytes),
+                                                            metaDataIter.chunk.size);
+            // Ensure the profile is 4-byte aligned.
+            if (reinterpret_cast<qintptr>(iccProfile.constData()) & 0x3)
+                iccProfile.detach();
             m_colorSpace = QColorSpace::fromIccProfile(iccProfile);
             // ### consider parsing EXIF and/or XMP metadata too.
             WebPDemuxReleaseChunkIterator(&metaDataIter);
@@ -288,6 +291,7 @@ bool QWebpHandler::write(const QImage &image)
     if (!WebPEncode(&config, &picture)) {
         qWarning() << "failed to encode webp picture, error code: " << picture.error_code;
         WebPPictureFree(&picture);
+        WebPMemoryWriterClear(&writer);
         return false;
     }
 
@@ -336,6 +340,7 @@ bool QWebpHandler::write(const QImage &image)
                    static_cast<size_t>(device()->write(reinterpret_cast<const char *>(writer.mem), writer.size)));
     }
     WebPPictureFree(&picture);
+    WebPMemoryWriterClear(&writer);
 
     return res;
 }
-- 
cgit v1.2.3