diff options
| author | Lars Knoll <lars.knoll@digia.com> | 2014-04-24 13:33:27 (GMT) |
|---|---|---|
| committer | The Qt Project <gerrit-noreply@qt-project.org> | 2014-05-06 20:06:07 (GMT) |
| commit | f1b76c126c476c155af8c404b97c42cd1a709333 (patch) | |
| tree | c1d54a0a1d7d70b9c53b8f111dc64f515890ad16 /src/gui | |
| parent | bdcb3a821258f3d5f01e7d9b162b24c1c64236e9 (diff) | |
| download | Qt-f1b76c126c476c155af8c404b97c42cd1a709333.zip Qt-f1b76c126c476c155af8c404b97c42cd1a709333.tar.gz Qt-f1b76c126c476c155af8c404b97c42cd1a709333.tar.bz2 | |
Don't crash on broken GIF images
Broken GIF images could set invalid width and height
values inside the image, leading to Qt creating a null
QImage for it. In that case we need to abort decoding
the image and return an error.
Initial patch by Rich Moore.
Backport of Id82a4036f478bd6e49c402d6598f57e7e5bb5e1e from Qt 5
Task-number: QTBUG-38367
Change-Id: I0680740018aaa8356d267b7af3f01fac3697312a
Security-advisory: CVE-2014-0190
Reviewed-by: Richard J. Moore <rich@kde.org>
Diffstat (limited to 'src/gui')
| -rw-r--r-- | src/gui/image/qgifhandler.cpp | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/src/gui/image/qgifhandler.cpp b/src/gui/image/qgifhandler.cpp index 3324f04..5199dd3 100644 --- a/src/gui/image/qgifhandler.cpp +++ b/src/gui/image/qgifhandler.cpp @@ -359,6 +359,13 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length, memset(bits, 0, image->byteCount()); } + // Check if the previous attempt to create the image failed. If it + // did then the image is broken and we should give up. + if (image->isNull()) { + state = Error; + return -1; + } + disposePrevious(image); disposed = false; |