summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSlávek Banko <[email protected]>2019-01-28 11:46:21 +0100
committerSlávek Banko <[email protected]>2019-03-03 15:33:15 +0100
commitac1b4232ffc2b02bc4ab2e04e5451fa40b62a93e (patch)
tree5ec7a2abab9ef7cae772e387c353aff2519596a7
parentc966e917a9f092e8b35e1f274dcddebdcb77c3e0 (diff)
downloadqt3-ac1b4232ffc2b02bc4ab2e04e5451fa40b62a93e.tar.gz
qt3-ac1b4232ffc2b02bc4ab2e04e5451fa40b62a93e.zip
Check for QImage allocation failure in qasyncimageio.
Since image files easily can be (or corrupt files claim to be) huge, it is worth checking for out of memory situations. Based on Qt5 patch for CVE-2018-19870. Signed-off-by: Slávek Banko <[email protected]> (cherry picked from commit a04cfea092d974109c6a883f26762be984805c8e)
-rw-r--r--src/kernel/qasyncimageio.cpp9
1 files changed, 6 insertions, 3 deletions
diff --git a/src/kernel/qasyncimageio.cpp b/src/kernel/qasyncimageio.cpp
index 7be8ddb..18b3cca 100644
--- a/src/kernel/qasyncimageio.cpp
+++ b/src/kernel/qasyncimageio.cpp
@@ -964,9 +964,12 @@ int QGIFFormat::decode(QImage& img, QImageConsumer* consumer,
if (backingstore.width() < w
|| backingstore.height() < h) {
// We just use the backing store as a byte array
- backingstore.create( QMAX(backingstore.width(), w),
- QMAX(backingstore.height(), h),
- 32);
+ if(!backingstore.create( QMAX(backingstore.width(), w),
+ QMAX(backingstore.height(), h),
+ 32)) {
+ state = Error;
+ return -1;
+ }
memset( img.bits(), 0, img.numBytes() );
}
for (int ln=0; ln<h; ln++) {