From 40da7331d6d818ec96604feaf978c8e6e828da7f Mon Sep 17 00:00:00 2001
From: Eirik Aavitsland <eirik.aavitsland@qt.io>
Date: Tue, 2 Mar 2021 16:57:15 +0100
Subject: Avoid scanline overflow when reading corrupt tiffs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Check that the actual scanlines to be read by libtiff are not
wider than expected.

This issue was reported by Samuel Groß and Natalie Silvanovich of
Google Project Zero.

Change-Id: I2af818d5a3c57643747a7fbfac8bb934cd79efd7
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
(cherry picked from commit 124d950b34a4b5f3bc7f1fa34336f882dbc3edc5)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/plugins/imageformats/tiff/qtiffhandler.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/plugins/imageformats/tiff/qtiffhandler.cpp b/src/plugins/imageformats/tiff/qtiffhandler.cpp
index 34b2bb7..807792d 100644
--- a/src/plugins/imageformats/tiff/qtiffhandler.cpp
+++ b/src/plugins/imageformats/tiff/qtiffhandler.cpp
@@ -453,6 +453,10 @@ bool QTiffHandler::read(QImage *image)
             }
             _TIFFfree(buf);
         } else {
+            if (image->bytesPerLine() < TIFFScanlineSize(tiff)) {
+                d->close();
+                return false;
+            }
             for (uint32 y=0; y<height; ++y) {
                 if (TIFFReadScanline(tiff, image->scanLine(y), y, 0) < 0) {
                     d->close();
-- 
cgit v1.2.3