From c677642f0cee91a760ff4d6787c450a2402b5608 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sl=C3=A1vek=20Banko?= <slavek.banko@axis.cz>
Date: Mon, 28 Jan 2019 11:42:06 +0100
Subject: bmp image: check for out of range image size.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Make the decoder fail early to avoid spending time and memory on
attempting to decode a corrupt image file.

Based on Qt5 patch for CVE-2018-19873.

Signed-off-by: Slávek Banko <slavek.banko@axis.cz>
(cherry picked from commit a00e43bd1ce54de39f807ae5acbcaa52b15be844)
---
 src/kernel/qimage.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/kernel/qimage.cpp b/src/kernel/qimage.cpp
index 0d22a7e..93a6b36 100644
--- a/src/kernel/qimage.cpp
+++ b/src/kernel/qimage.cpp
@@ -4667,6 +4667,8 @@ bool read_dib( QDataStream& s, int offset, int startpos, QImage& image )
     if ( !(comp == BMP_RGB || (nbits == 4 && comp == BMP_RLE4) ||
 	(nbits == 8 && comp == BMP_RLE8) || ((nbits == 16 || nbits == 32) && comp == BMP_BITFIELDS)) )
 	 return FALSE;				// weird compression type
+    if ((w < 0) || ((w * abs(h)) > (16384 * 16384)))
+        return FALSE;
 
     int ncols;
     int depth;
-- 
cgit v1.2.3