Check for QImage allocation failure in qasyncimageio.

Since image files easily can be (or corrupt files claim to be) huge, it is worth checking for out of memory situations. Based on Qt5 patch for CVE-2018-19870. Signed-off-by: Slávek Banko <slavek.banko@axis.cz> (cherry picked from commit a04cfea092d974109c6a883f26762be984805c8e)
author: Slávek Banko <slavek.banko@axis.cz> 2019-01-28 10:56:46 +0100
committer: Slávek Banko <slavek.banko@axis.cz> 2019-03-03 15:35:23 +0100
commit: 55c97eb0b3161b5815b8e3148c65d4641bdf1fdd (patch)
tree: 5081fd84dbf699503a1367c96d5778dadec418e4
parent: d85c2df3c7b4f45b36df30b4e66d3f3b71b24b98 (diff)
download: qt3-55c97eb0b3161b5815b8e3148c65d4641bdf1fdd.tar.gz
qt3-55c97eb0b3161b5815b8e3148c65d4641bdf1fdd.zip
1 files changed, 6 insertions, 3 deletions
diff --git a/src/kernel/qasyncimageio.cpp b/src/kernel/qasyncimageio.cpp
index 7be8ddb..18b3cca 100644
--- a/src/kernel/qasyncimageio.cpp
+++ b/src/kernel/qasyncimageio.cpp
@@ -964,9 +964,12 @@ int QGIFFormat::decode(QImage& img, QImageConsumer* consumer,
 		    if (backingstore.width() < w
 			|| backingstore.height() < h) {
 			// We just use the backing store as a byte array
-			backingstore.create( QMAX(backingstore.width(), w),
-					     QMAX(backingstore.height(), h),
-					     32);
+			if(!backingstore.create( QMAX(backingstore.width(), w),
+						 QMAX(backingstore.height(), h),
+						 32)) {
+				state = Error;
+				return -1;
+			}
 			memset( img.bits(), 0, img.numBytes() );
 		    }
 		    for (int ln=0; ln<h; ln++) {
author	Slávek Banko <slavek.banko@axis.cz>	2019-01-28 10:56:46 +0100
committer	Slávek Banko <slavek.banko@axis.cz>	2019-03-03 15:35:23 +0100
commit	55c97eb0b3161b5815b8e3148c65d4641bdf1fdd (patch)
tree	5081fd84dbf699503a1367c96d5778dadec418e4
parent	d85c2df3c7b4f45b36df30b4e66d3f3b71b24b98 (diff)
download	qt3-55c97eb0b3161b5815b8e3148c65d4641bdf1fdd.tar.gz qt3-55c97eb0b3161b5815b8e3148c65d4641bdf1fdd.zip