From 56b5acb2a858d0eb276ecc06d63caa7275f44dd7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Samuel=20R=C3=B8dal?= Date: Tue, 5 Feb 2013 09:44:26 +0100 Subject: Fixed crash in image reader when reading certain BMP files. If the high bit in a mask is set, for instance if the mask is 0xff000000, and we shift it to the right by 24 positions, since the mask was not declared as unsigned we ended up with a mask value of 0xffffffff. We then add 1 to this value and divide by the result, causing a division by zero crash. The masks need to be declared unsigned to prevent sign bit extension when shifting right. Task-number: QTBUG-29194 Change-Id: I1003d546a70d540b5c135b6b75dee9b4962a7210 Reviewed-by: Gunnar Sletta (cherry picked from qtbase, af84313c622af880e95d461ea8b7dbca58d2dffa) --- src/gui/image/qbmphandler.cpp | 8 ++++---- tests/auto/qimagereader/images/rgb32bf.bmp | Bin 0 -> 32578 bytes tests/auto/qimagereader/qimagereader.qrc | 1 + tests/auto/qimagereader/tst_qimagereader.cpp | 1 + 4 files changed, 6 insertions(+), 4 deletions(-) create mode 100644 tests/auto/qimagereader/images/rgb32bf.bmp diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp index d59c9d7..3d02caa 100644 --- a/src/gui/image/qbmphandler.cpp +++ b/src/gui/image/qbmphandler.cpp @@ -143,7 +143,7 @@ static QDataStream &operator<<(QDataStream &s, const BMP_INFOHDR &bi) return s; } -static int calc_shift(int mask) +static int calc_shift(uint mask) { int result = 0; while (mask && !(mask & 1)) { @@ -207,9 +207,9 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int #endif int w = bi.biWidth, h = bi.biHeight, nbits = bi.biBitCount; int t = bi.biSize, comp = bi.biCompression; - int red_mask = 0; - int green_mask = 0; - int blue_mask = 0; + uint red_mask = 0; + uint green_mask = 0; + uint blue_mask = 0; int red_shift = 0; int green_shift = 0; int blue_shift = 0; diff --git a/tests/auto/qimagereader/images/rgb32bf.bmp b/tests/auto/qimagereader/images/rgb32bf.bmp new file mode 100644 index 0000000..20fa9a1 Binary files /dev/null and b/tests/auto/qimagereader/images/rgb32bf.bmp differ diff --git a/tests/auto/qimagereader/qimagereader.qrc b/tests/auto/qimagereader/qimagereader.qrc index 03c03d6..f7fc718 100644 --- a/tests/auto/qimagereader/qimagereader.qrc +++ b/tests/auto/qimagereader/qimagereader.qrc @@ -38,6 +38,7 @@ images/noclearcode.bmp images/noclearcode.gif images/nontransparent.xpm + images/rgb32bf.bmp images/runners.ppm images/teapot.ppm images/test.ppm diff --git a/tests/auto/qimagereader/tst_qimagereader.cpp b/tests/auto/qimagereader/tst_qimagereader.cpp index 6689d4f..c53488d 100644 --- a/tests/auto/qimagereader/tst_qimagereader.cpp +++ b/tests/auto/qimagereader/tst_qimagereader.cpp @@ -246,6 +246,7 @@ void tst_QImageReader::readImage_data() QTest::newRow("BMP: 4bpp uncompressed") << QString("tst7.bmp") << true << QByteArray("bmp"); QTest::newRow("BMP: 16bpp") << QString("16bpp.bmp") << true << QByteArray("bmp"); QTest::newRow("BMP: negative height") << QString("negativeheight.bmp") << true << QByteArray("bmp"); + QTest::newRow("BMP: high mask bit set") << QString("rgb32bf.bmp") << true << QByteArray("bmp"); QTest::newRow("XPM: marble") << QString("marble.xpm") << true << QByteArray("xpm"); QTest::newRow("PNG: kollada") << QString("kollada.png") << true << QByteArray("png"); QTest::newRow("PPM: teapot") << QString("teapot.ppm") << true << QByteArray("ppm"); -- cgit v0.12