From de1cfc13c66fcb35d0a211bb5136ebc25279041a Mon Sep 17 00:00:00 2001
From: Harald Fernengel <harald.fernengel@nokia.com>
Date: Fri, 4 Feb 2011 13:36:27 +0100
Subject: Don't crash when BMP color table is broken

If the BMP's number of color table entries is out of bounds, we would
resize our color table vector to a silly value, leading to crashes
later on. If the number of color table entries is larger than 256, just
stop processing the BMP since it's most probably corrupt.

Task-number: QT-4534
Reviewed-by: Robert Griebl
---
 src/gui/image/qbmphandler.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
index 09c086a..6dea9d9 100644
--- a/src/gui/image/qbmphandler.cpp
+++ b/src/gui/image/qbmphandler.cpp
@@ -246,6 +246,8 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
 
     if (depth != 32) {
         ncols = bi.biClrUsed ? bi.biClrUsed : 1 << nbits;
+        if (ncols > 256) // sanity check - don't run out of mem if color table is broken
+            return false;
         image.setColorCount(ncols);
     }
 
-- 
cgit v0.12