summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMauri VehniƤinen <ext-mauri.vehniainen@nokia.com>2011-02-18 09:10:08 (GMT)
committerHarald Fernengel <harald.fernengel@nokia.com>2011-02-18 09:10:08 (GMT)
commitd6c1e5d78bdfbeb373970b65d8260f7e9f9ce1bd (patch)
tree9e4bca596855926829e48d1727ca7662de91c070
parent1a9ea90144c7131029fdf19950d1f313a64eb4a1 (diff)
downloadQt-d6c1e5d78bdfbeb373970b65d8260f7e9f9ce1bd.zip
Qt-d6c1e5d78bdfbeb373970b65d8260f7e9f9ce1bd.tar.gz
Qt-d6c1e5d78bdfbeb373970b65d8260f7e9f9ce1bd.tar.bz2
Prevents crashing when ICO file has bad color table value
When color table value is read from ICO header memory allocation is made based on this value. This case is relevant only when reading 8bit images. Therefore values over 256 will abort reading the image. Task-number: QT-4535 Merge-request: 1090 Reviewed-by: Harald Fernengel <harald.fernengel@nokia.com>
-rw-r--r--src/plugins/imageformats/ico/qicohandler.cpp2
1 files changed, 2 insertions, 0 deletions
diff --git a/src/plugins/imageformats/ico/qicohandler.cpp b/src/plugins/imageformats/ico/qicohandler.cpp
index 5aa26d3..701207d 100644
--- a/src/plugins/imageformats/ico/qicohandler.cpp
+++ b/src/plugins/imageformats/ico/qicohandler.cpp
@@ -559,6 +559,8 @@ QImage ICOReader::iconAt(int index)
icoAttrib.ncolors = 0;
else // # colors used
icoAttrib.ncolors = header.biClrUsed ? header.biClrUsed : 1 << icoAttrib.nbits;
+ if (icoAttrib.ncolors > 256) //color table can't be more than 256
+ return img;
icoAttrib.w = iconEntry.bWidth;
if (icoAttrib.w == 0)
icoAttrib.w = header.biWidth;