File libqt5-Fixes-crash-in-bmp-and-ico-image-decodin... of Package libqt5-qtbase.620

Overview Repositories Revisions Requests Users Attributes Meta

File libqt5-Fixes-crash-in-bmp-and-ico-image-decoding.patch of Package libqt5-qtbase.620

From 51ec7ebfe5f45d1c0a03d992e97053cac66e25fe Mon Sep 17 00:00:00 2001
From: Eirik Aavitsland <eirik.aavitsland@theqtcompany.com>
Date: Wed, 11 Mar 2015 13:34:01 +0100
Subject: [PATCH] Fixes crash in bmp and ico image decoding

Fuzzing test revealed that for certain malformed bmp and ico files,
the handler would segfault.

Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
---
 src/gui/image/qbmphandler.cpp                | 13 +++++++------
 src/plugins/imageformats/ico/qicohandler.cpp |  2 +-
 2 files changed, 8 insertions(+), 7 deletions(-)

--- a/src/gui/image/qbmphandler.cpp
+++ b/src/gui/image/qbmphandler.cpp
@@ -492,12 +492,6 @@ static bool read_dib_body(QDataStream &s
                             p = data + (h-y-1)*bpl;
                             break;
                         case 2:                        // delta (jump)
-                            // Protection
-                            if ((uint)x >= (uint)w)
-                                x = w-1;
-                            if ((uint)y >= (uint)h)
-                                y = h-1;
-
                             {
                                 quint8 tmp;
                                 d->getChar((char *)&tmp);
@@ -505,6 +499,13 @@ static bool read_dib_body(QDataStream &s
                                 d->getChar((char *)&tmp);
                                 y += tmp;
                             }
+
+                            // Protection
+                            if ((uint)x >= (uint)w)
+                                x = w-1;
+                            if ((uint)y >= (uint)h)
+                                y = h-1;
+
                             p = data + (h-y-1)*bpl + x;
                             break;
                         default:                // absolute mode
--- a/src/plugins/imageformats/ico/qicohandler.cpp
+++ b/src/plugins/imageformats/ico/qicohandler.cpp
@@ -571,7 +571,7 @@ QImage ICOReader::iconAt(int index)
                 QImage::Format format = QImage::Format_ARGB32;
                 if (icoAttrib.nbits == 24)
                     format = QImage::Format_RGB32;
-                else if (icoAttrib.ncolors == 2)
+                else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1)
                     format = QImage::Format_Mono;
                 else if (icoAttrib.ncolors > 0)
                     format = QImage::Format_Indexed8;

Places

File libqt5-Fixes-crash-in-bmp-and-ico-image-decoding.patch of Package libqt5-qtbase.620

Places