From 25341cf53dfa36c83b74c125c260c72d2477ba5d Mon Sep 17 00:00:00 2001
From: Eirik Aavitsland <eirik.aavitsland@qt.io>
Date: Tue, 2 Mar 2021 16:57:15 +0100
Subject: Avoid scanline overflow when reading corrupt tiffs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Check that the actual scanlines to be read by libtiff are not
wider than expected.

This issue was reported by Samuel Groß and Natalie Silvanovich of
Google Project Zero.

Change-Id: I2af818d5a3c57643747a7fbfac8bb934cd79efd7
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
(cherry picked from commit 124d950b34a4b5f3bc7f1fa34336f882dbc3edc5)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/plugins/imageformats/tiff/qtiffhandler.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/plugins/imageformats/tiff/qtiffhandler.cpp b/src/plugins/imageformats/tiff/qtiffhandler.cpp
index 9107425..2df5152 100644
--- a/src/plugins/imageformats/tiff/qtiffhandler.cpp
+++ b/src/plugins/imageformats/tiff/qtiffhandler.cpp
@@ -442,6 +442,10 @@ bool QTiffHandler::read(QImage *image)
             }
             _TIFFfree(buf);
         } else {
+            if (image->bytesPerLine() < TIFFScanlineSize(tiff)) {
+                d->close();
+                return false;
+            }
             for (uint32 y=0; y<height; ++y) {
                 if (TIFFReadScanline(tiff, image->scanLine(y), y, 0) < 0) {
                     d->close();
-- 
cgit v1.2.3