diff options
author | Slávek Banko <slavek.banko@axis.cz> | 2019-01-28 11:42:06 +0100 |
---|---|---|
committer | Slávek Banko <slavek.banko@axis.cz> | 2019-03-03 15:37:40 +0100 |
commit | ff46bf1d82556816fa302394d5f63af7d4951b37 (patch) | |
tree | 11ed065f9edf6ee03b84bc3fa2cde090e01f7034 | |
parent | a195af105a60fceff3d3a7850282f12f5a903d06 (diff) | |
download | tqt3-ff46bf1d82556816fa302394d5f63af7d4951b37.tar.gz tqt3-ff46bf1d82556816fa302394d5f63af7d4951b37.zip |
bmp image: check for out of range image size.r14.0.6
Make the decoder fail early to avoid spending time and memory on
attempting to decode a corrupt image file.
Based on Qt5 patch for CVE-2018-19873.
Signed-off-by: Slávek Banko <slavek.banko@axis.cz>
(cherry picked from commit 5a61151fe90ed84dce18998fe6c7d69ec6e49c74)
-rw-r--r-- | src/kernel/qimage.cpp | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/kernel/qimage.cpp b/src/kernel/qimage.cpp index ab42e188b..0d7b9aaab 100644 --- a/src/kernel/qimage.cpp +++ b/src/kernel/qimage.cpp @@ -4667,6 +4667,8 @@ bool read_dib( TQDataStream& s, int offset, int startpos, TQImage& image ) if ( !(comp == BMP_RGB || (nbits == 4 && comp == BMP_RLE4) || (nbits == 8 && comp == BMP_RLE8) || ((nbits == 16 || nbits == 32) && comp == BMP_BITFIELDS)) ) return FALSE; // weird compression type + if ((w < 0) || ((w * abs(h)) > (16384 * 16384))) + return FALSE; int ncols; int depth; |