Don't crash when BMP color table is broken

If the BMP's number of color table entries is out of bounds, we would resize our color table vector to a silly value, leading to crashes later on. If the number of color table entries is larger than 256, just stop processing the BMP since it's most probably corrupt. Task-number: QT-4534 Reviewed-by: Robert Griebl (cherry picked from commit de1cfc13c66fcb35d0a211bb5136ebc25279041a)
author: Harald Fernengel <harald.fernengel@nokia.com> 2011-02-04 12:36:27 (GMT)
committer: Jason McDonald <jason.mcdonald@nokia.com> 2011-02-11 13:25:05 (GMT)
commit: cc0f75c93a0f97d0c71b2a8d3005f119e9a85ea5 (patch)
tree: d8ff89544c568e09b743b96e326620943bbea3ef /src
parent: d116612d7447900733ee7c4c193e4c83f76cd8ff (diff)
download: Qt-cc0f75c93a0f97d0c71b2a8d3005f119e9a85ea5.zip
Qt-cc0f75c93a0f97d0c71b2a8d3005f119e9a85ea5.tar.gz
Qt-cc0f75c93a0f97d0c71b2a8d3005f119e9a85ea5.tar.bz2
1 files changed, 2 insertions, 0 deletions
diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
index 09c086a..6dea9d9 100644
--- a/src/gui/image/qbmphandler.cpp
+++ b/src/gui/image/qbmphandler.cpp
@@ -246,6 +246,8 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
 
     if (depth != 32) {
         ncols = bi.biClrUsed ? bi.biClrUsed : 1 << nbits;
+        if (ncols > 256) // sanity check - don't run out of mem if color table is broken
+            return false;
         image.setColorCount(ncols);
     }
author	Harald Fernengel <harald.fernengel@nokia.com>	2011-02-04 12:36:27 (GMT)
committer	Jason McDonald <jason.mcdonald@nokia.com>	2011-02-11 13:25:05 (GMT)
commit	cc0f75c93a0f97d0c71b2a8d3005f119e9a85ea5 (patch)
tree	d8ff89544c568e09b743b96e326620943bbea3ef /src
parent	d116612d7447900733ee7c4c193e4c83f76cd8ff (diff)
download	Qt-cc0f75c93a0f97d0c71b2a8d3005f119e9a85ea5.zip Qt-cc0f75c93a0f97d0c71b2a8d3005f119e9a85ea5.tar.gz Qt-cc0f75c93a0f97d0c71b2a8d3005f119e9a85ea5.tar.bz2