summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSlávek Banko <slavek.banko@axis.cz>2019-01-28 11:42:06 +0100
committerSlávek Banko <slavek.banko@axis.cz>2019-03-03 15:35:23 +0100
commitc677642f0cee91a760ff4d6787c450a2402b5608 (patch)
tree65d0f47da76fc87468e7b450a8f233cd50bbe0dc
parent55c97eb0b3161b5815b8e3148c65d4641bdf1fdd (diff)
downloadqt3-v3.5.13-sru.tar.gz
qt3-v3.5.13-sru.zip
bmp image: check for out of range image size.origin/v3.5.13-sruv3.5.13-sru
Make the decoder fail early to avoid spending time and memory on attempting to decode a corrupt image file. Based on Qt5 patch for CVE-2018-19873. Signed-off-by: Slávek Banko <slavek.banko@axis.cz> (cherry picked from commit a00e43bd1ce54de39f807ae5acbcaa52b15be844)
-rw-r--r--src/kernel/qimage.cpp2
1 files changed, 2 insertions, 0 deletions
diff --git a/src/kernel/qimage.cpp b/src/kernel/qimage.cpp
index 0d22a7e..93a6b36 100644
--- a/src/kernel/qimage.cpp
+++ b/src/kernel/qimage.cpp
@@ -4667,6 +4667,8 @@ bool read_dib( QDataStream& s, int offset, int startpos, QImage& image )
if ( !(comp == BMP_RGB || (nbits == 4 && comp == BMP_RLE4) ||
(nbits == 8 && comp == BMP_RLE8) || ((nbits == 16 || nbits == 32) && comp == BMP_BITFIELDS)) )
return FALSE; // weird compression type
+ if ((w < 0) || ((w * abs(h)) > (16384 * 16384)))
+ return FALSE;
int ncols;
int depth;