diff options
| author | Eirik Aavitsland <eirik.aavitsland@theqtcompany.com> | 2015-03-11 12:34:01 (GMT) |
|---|---|---|
| committer | aavit <eirik.aavitsland@theqtcompany.com> | 2015-03-13 10:16:45 (GMT) |
| commit | 3e55cd6dc467303a3c35312e9fcb255c2c048b32 (patch) | |
| tree | ea1f5bb93b7c473fd835f96f47e73abccd04f2a8 /src/gui | |
| parent | a1cf194c54be57d6ab55dfd26b9562a60532208e (diff) | |
| download | Qt-3e55cd6dc467303a3c35312e9fcb255c2c048b32.zip Qt-3e55cd6dc467303a3c35312e9fcb255c2c048b32.tar.gz Qt-3e55cd6dc467303a3c35312e9fcb255c2c048b32.tar.bz2 | |
Fixes crash in bmp and ico image decoding
Fuzzing test revealed that for certain malformed bmp and ico files,
the handler would segfault.
Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe
(cherry picked from qtbase/2adbbae5432aa9d8cc41c6fcf55c2e310d2d4078)
Reviewed-by: Richard J. Moore <rich@kde.org>
Diffstat (limited to 'src/gui')
| -rw-r--r-- | src/gui/image/qbmphandler.cpp | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp index 30fa9e0..17a880b 100644 --- a/src/gui/image/qbmphandler.cpp +++ b/src/gui/image/qbmphandler.cpp @@ -478,12 +478,6 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int p = data + (h-y-1)*bpl; break; case 2: // delta (jump) - // Protection - if ((uint)x >= (uint)w) - x = w-1; - if ((uint)y >= (uint)h) - y = h-1; - { quint8 tmp; d->getChar((char *)&tmp); @@ -491,6 +485,13 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int d->getChar((char *)&tmp); y += tmp; } + + // Protection + if ((uint)x >= (uint)w) + x = w-1; + if ((uint)y >= (uint)h) + y = h-1; + p = data + (h-y-1)*bpl + x; break; default: // absolute mode |