From: Eirik Aavitsland <eirik.aavitsland@qt.io>
Date: Tue, 4 Sep 2018 09:08:06 +0000 (+0200)
Subject: bmp image handler: check for out of range image size
X-Git-Tag: archive/raspbian/4%4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2+rpi1^2~3
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=ad4da051b6759ed4b47a07dc1fa73b76aef130c5;p=qt4-x11.git

bmp image handler: check for out of range image size

Make the decoder fail early to avoid spending time and memory on
attempting to decode a corrupt image file.

Change-Id: I874e04f3b43122d73f8e58c7a5bcc4a741b68264
Reviewed-by: Lars Knoll <lars.knoll@qt.io>

Gbp-Pq: Name cve_2018-19873.patch
---

diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
index 17a880b53..4f766d9b4 100644
--- a/src/gui/image/qbmphandler.cpp
+++ b/src/gui/image/qbmphandler.cpp
@@ -181,6 +181,8 @@ static bool read_dib_infoheader(QDataStream &s, BMP_INFOHDR &bi)
     if (!(comp == BMP_RGB || (nbits == 4 && comp == BMP_RLE4) ||
         (nbits == 8 && comp == BMP_RLE8) || ((nbits == 16 || nbits == 32) && comp == BMP_BITFIELDS)))
          return false;                                // weird compression type
+    if (bi.biWidth < 0 || quint64(bi.biWidth) * qAbs(bi.biHeight) > 16384 * 16384)
+        return false;
 
     return true;
 }