From: Eirik Aavitsland <eirik.aavitsland@qt.io>
Date: Fri, 3 Aug 2018 11:25:15 +0000 (+0200)
Subject: Check for QImage allocation failure in qgifhandler
X-Git-Tag: archive/raspbian/4%4.8.7+dfsg-18+rpi1^2~53
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=185cc4b57f5f04c70fa8344775215664e0ac56af;p=qt4-x11.git

Check for QImage allocation failure in qgifhandler

Since image files easily can be (or corrupt files claim to be) huge,
it is worth checking for out of memory situations.

Change-Id: I635a3ec6852288079fdec4e14cf7e776fe59e9e0
Reviewed-by: Lars Knoll <lars.knoll@qt.io>

Gbp-Pq: Name CVE-2018-19870.patch
---

diff --git a/src/gui/image/qgifhandler.cpp b/src/gui/image/qgifhandler.cpp
index 5ef1a4ac3..9db38e8fd 100644
--- a/src/gui/image/qgifhandler.cpp
+++ b/src/gui/image/qgifhandler.cpp
@@ -356,7 +356,8 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length,
                     (*image) = QImage(swidth, sheight, format);
                     bpl = image->bytesPerLine();
                     bits = image->bits();
-                    memset(bits, 0, image->byteCount());
+                    if (bits)
+                        memset(bits, 0, image->byteCount());
                 }
 
                 // Check if the previous attempt to create the image failed. If it
@@ -424,6 +425,10 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length,
                         backingstore = QImage(qMax(backingstore.width(), w),
                                               qMax(backingstore.height(), h),
                                               QImage::Format_RGB32);
+                        if (backingstore.isNull()) {
+                            state = Error;
+                            return -1;
+                        }
                         memset(bits, 0, image->byteCount());
                     }
                     const int dest_bpl = backingstore.bytesPerLine();