Don't crash when BMP color table is broken

If the BMP's number of color table entries is out of bounds, we would resize our color table vector to a silly value, leading to crashes later on. If the number of color table entries is larger than 256, just stop processing the BMP since it's most probably corrupt. Task-number: QT-4534 Reviewed-by: Robert Griebl
author: Harald Fernengel <harald.fernengel@nokia.com> 2011-02-04 12:36:27 (GMT)
committer: Harald Fernengel <harald.fernengel@nokia.com> 2011-02-04 12:36:27 (GMT)
commit: de1cfc13c66fcb35d0a211bb5136ebc25279041a (patch)
tree: 366d674acece675b9c6dc7ed8f4e15a604b1ac26
parent: dd7873cd7e02e42b384709f33a34f69bc06fb25d (diff)
download: Qt-de1cfc13c66fcb35d0a211bb5136ebc25279041a.zip
Qt-de1cfc13c66fcb35d0a211bb5136ebc25279041a.tar.gz
Qt-de1cfc13c66fcb35d0a211bb5136ebc25279041a.tar.bz2
1 files changed, 2 insertions, 0 deletions
diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
index 09c086a..6dea9d9 100644
--- a/src/gui/image/qbmphandler.cpp
+++ b/src/gui/image/qbmphandler.cpp
@@ -246,6 +246,8 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
 
     if (depth != 32) {
         ncols = bi.biClrUsed ? bi.biClrUsed : 1 << nbits;
+        if (ncols > 256) // sanity check - don't run out of mem if color table is broken
+            return false;
         image.setColorCount(ncols);
     }
author	Harald Fernengel <harald.fernengel@nokia.com>	2011-02-04 12:36:27 (GMT)
committer	Harald Fernengel <harald.fernengel@nokia.com>	2011-02-04 12:36:27 (GMT)
commit	de1cfc13c66fcb35d0a211bb5136ebc25279041a (patch)
tree	366d674acece675b9c6dc7ed8f4e15a604b1ac26
parent	dd7873cd7e02e42b384709f33a34f69bc06fb25d (diff)
download	Qt-de1cfc13c66fcb35d0a211bb5136ebc25279041a.zip Qt-de1cfc13c66fcb35d0a211bb5136ebc25279041a.tar.gz Qt-de1cfc13c66fcb35d0a211bb5136ebc25279041a.tar.bz2