From d6c84875227f00b8db85685f53b355d4c58eacd2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mauri=20Vehni=C3=A4inen?= <ext-mauri.vehniainen@nokia.com>
Date: Fri, 18 Feb 2011 10:10:08 +0100
Subject: Prevents crashing when ICO file has bad color table value

When color table value is read from ICO header memory allocation is
made based on this value. This case is relevant only when reading
8bit images. Therefore values over 256 will abort reading the image.

Task-number: QT-4535

Merge-request: 1090
Reviewed-by: Harald Fernengel <harald.fernengel@nokia.com>
(cherry picked from commit d6c1e5d78bdfbeb373970b65d8260f7e9f9ce1bd)
---
 src/plugins/imageformats/ico/qicohandler.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/plugins/imageformats/ico/qicohandler.cpp b/src/plugins/imageformats/ico/qicohandler.cpp
index 6d0102b..3f33f23 100644
--- a/src/plugins/imageformats/ico/qicohandler.cpp
+++ b/src/plugins/imageformats/ico/qicohandler.cpp
@@ -559,6 +559,8 @@ QImage ICOReader::iconAt(int index)
                     icoAttrib.ncolors = 0;
                 else                    // # colors used
                     icoAttrib.ncolors = header.biClrUsed ? header.biClrUsed : 1 << icoAttrib.nbits;
+                if (icoAttrib.ncolors > 256) //color table can't be more than 256
+                    return img;
                 icoAttrib.w = iconEntry.bWidth;
                 if (icoAttrib.w == 0)
                     icoAttrib.w = header.biWidth;
-- 
cgit v0.12