From 78488c1aa32d9f61656969de387b0b1d17b781db Mon Sep 17 00:00:00 2001
From: Laszlo Agocs <laszlo.agocs@qt.io>
Date: Thu, 21 Mar 2019 10:11:09 +0100
Subject: Add safety checks to ktx parser
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Task-number: QT3DS-3186
Change-Id: I214bd7e4b501b2db4b3b9f1e82adf943ba63a300
Reviewed-by: Antti Määttä <antti.maatta@qt.io>
Reviewed-by: Miikka Heikkinen <miikka.heikkinen@qt.io>
---
 src/runtime/q3dsimageloaders_p.h | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/runtime/q3dsimageloaders_p.h b/src/runtime/q3dsimageloaders_p.h
index a1e2459..2904300 100644
--- a/src/runtime/q3dsimageloaders_p.h
+++ b/src/runtime/q3dsimageloaders_p.h
@@ -915,6 +915,7 @@ inline QVector<Qt3DRender::QTextureImageDataPtr> q3ds_loadKtx(QIODevice *source)
         return result;
     }
 
+    const int rawDataSize = rawData.size();
     const char *basep = rawData.constData();
     const char *p = basep;
     const int level0Width = decode(header.pixelWidth);
@@ -945,11 +946,16 @@ inline QVector<Qt3DRender::QTextureImageDataPtr> q3ds_loadKtx(QIODevice *source)
     }
 
     for (int mip = 0; mip < mipMapLevels; ++mip) {
+        if (p + 4 - basep > rawDataSize)
+            break;
         int imageSize = *reinterpret_cast<const quint32 *>(p);
         p += 4;
         for (int face = 0; face < faceCount; ++face) {
+            const int nextOffset = p + imageSize - basep;
+            if (nextOffset > rawDataSize)
+                break;
             result << createImageData(QByteArray(p, imageSize), mip);
-            p = basep + q3ds_alignedOffset(p + imageSize - basep, 4);
+            p = basep + q3ds_alignedOffset(nextOffset, 4);
         }
     }
 
-- 
cgit v1.2.3