From: Eirik Aavitsland Date: Wed, 11 Mar 2015 12:34:01 +0000 (+0100) Subject: Fixes crash in bmp and ico image decoding X-Git-Tag: archive/raspbian/4%4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2+rpi1~1^2~48 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=738440207c2f928a2921c696b24619adb7c11b09;p=qt4-x11.git Fixes crash in bmp and ico image decoding Fuzzing test revealed that for certain malformed bmp and ico files, the handler would segfault. Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe (cherry picked from qtbase/2adbbae5432aa9d8cc41c6fcf55c2e310d2d4078) Reviewed-by: Richard J. Moore Gbp-Pq: Name fixes_crash_in_bmp_and_ico_image_decoder.patch --- diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp index b22e84220..0b9edf5cb 100644 --- a/src/gui/image/qbmphandler.cpp +++ b/src/gui/image/qbmphandler.cpp @@ -472,12 +472,6 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int p = data + (h-y-1)*bpl; break; case 2: // delta (jump) - // Protection - if ((uint)x >= (uint)w) - x = w-1; - if ((uint)y >= (uint)h) - y = h-1; - { quint8 tmp; d->getChar((char *)&tmp); @@ -485,6 +479,13 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int d->getChar((char *)&tmp); y += tmp; } + + // Protection + if ((uint)x >= (uint)w) + x = w-1; + if ((uint)y >= (uint)h) + y = h-1; + p = data + (h-y-1)*bpl + x; break; default: // absolute mode diff --git a/src/plugins/imageformats/ico/qicohandler.cpp b/src/plugins/imageformats/ico/qicohandler.cpp index 1a8860532..3c3476576 100644 --- a/src/plugins/imageformats/ico/qicohandler.cpp +++ b/src/plugins/imageformats/ico/qicohandler.cpp @@ -571,7 +571,7 @@ QImage ICOReader::iconAt(int index) QImage::Format format = QImage::Format_ARGB32; if (icoAttrib.nbits == 24) format = QImage::Format_RGB32; - else if (icoAttrib.ncolors == 2) + else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1) format = QImage::Format_Mono; else if (icoAttrib.ncolors > 0) format = QImage::Format_Indexed8;