bmp image: check for out of range image size.

Make the decoder fail early to avoid spending time and memory on attempting to decode a corrupt image file. Based on Qt5 patch for CVE-2018-19873. Signed-off-by: Slávek Banko <slavek.banko@axis.cz>
author: Slávek Banko <slavek.banko@axis.cz> 2019-01-28 11:47:23 +0100
committer: Slávek Banko <slavek.banko@axis.cz> 2019-03-03 15:32:03 +0100
commit: a00e43bd1ce54de39f807ae5acbcaa52b15be844 (patch)
tree: 194f3096b6a3233daf43e65e51d807e7db28d388
parent: a04cfea092d974109c6a883f26762be984805c8e (diff)
download: qt3-a00e43bd1ce54de39f807ae5acbcaa52b15be844.tar.gz
qt3-a00e43bd1ce54de39f807ae5acbcaa52b15be844.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/src/kernel/qimage.cpp b/src/kernel/qimage.cpp
index 60a9a5d..8dd71be 100644
--- a/src/kernel/qimage.cpp
+++ b/src/kernel/qimage.cpp
@@ -4667,6 +4667,8 @@ bool read_dib( QDataStream& s, int offset, int startpos, QImage& image )
     if ( !(comp == BMP_RGB || (nbits == 4 && comp == BMP_RLE4) ||
 	(nbits == 8 && comp == BMP_RLE8) || ((nbits == 16 || nbits == 32) && comp == BMP_BITFIELDS)) )
 	 return FALSE;				// weird compression type
+    if ((w < 0) || ((w * abs(h)) > (16384 * 16384)))
+        return FALSE;
 
     int ncols;
     int depth;
author	Slávek Banko <slavek.banko@axis.cz>	2019-01-28 11:47:23 +0100
committer	Slávek Banko <slavek.banko@axis.cz>	2019-03-03 15:32:03 +0100
commit	a00e43bd1ce54de39f807ae5acbcaa52b15be844 (patch)
tree	194f3096b6a3233daf43e65e51d807e7db28d388
parent	a04cfea092d974109c6a883f26762be984805c8e (diff)
download	qt3-a00e43bd1ce54de39f807ae5acbcaa52b15be844.tar.gz qt3-a00e43bd1ce54de39f807ae5acbcaa52b15be844.zip