Don't crash on broken GIF images

Broken GIF images could set invalid width and height
values inside the image, leading to Qt creating a null
QImage for it. In that case we need to abort decoding
the image and return an error.

Initial patch by Rich Moore.

Backport of Id82a4036f478bd6e49c402d6598f57e7e5bb5e1e from Qt 5

Task-number: QTBUG-38367
Change-Id: I0680740018aaa8356d267b7af3f01fac3697312a
Security-advisory: CVE-2014-0190

Gbp-Pq: Name dont_crash_on_broken_gif_images.patch

diff --git a/src/gui/image/qgifhandler.cpp b/src/gui/image/qgifhandler.cpp
index 2a9217a2db7a22da315fa33adacf3d5ca3fd8715..5ef1a4ac3ac6a0198070431d127b3d0a5a253559 100644 (file)
--- a/src/gui/image/qgifhandler.cpp
+++ b/src/gui/image/qgifhandler.cpp
@@ -366,6 +366,13 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length,
                     return -1;
                 }
 
+                // Check if the previous attempt to create the image failed. If it
+                // did then the image is broken and we should give up.
+                if (image->isNull()) {
+                    state = Error;
+                    return -1;
+                }
+
                 disposePrevious(image);
                 disposed = false;