From ac1b4232ffc2b02bc4ab2e04e5451fa40b62a93e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sl=C3=A1vek=20Banko?= Date: Mon, 28 Jan 2019 11:46:21 +0100 Subject: Check for QImage allocation failure in qasyncimageio. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since image files easily can be (or corrupt files claim to be) huge, it is worth checking for out of memory situations. Based on Qt5 patch for CVE-2018-19870. Signed-off-by: Slávek Banko (cherry picked from commit a04cfea092d974109c6a883f26762be984805c8e) --- src/kernel/qasyncimageio.cpp | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/kernel/qasyncimageio.cpp b/src/kernel/qasyncimageio.cpp index 7be8ddb..18b3cca 100644 --- a/src/kernel/qasyncimageio.cpp +++ b/src/kernel/qasyncimageio.cpp @@ -964,9 +964,12 @@ int QGIFFormat::decode(QImage& img, QImageConsumer* consumer, if (backingstore.width() < w || backingstore.height() < h) { // We just use the backing store as a byte array - backingstore.create( QMAX(backingstore.width(), w), - QMAX(backingstore.height(), h), - 32); + if(!backingstore.create( QMAX(backingstore.width(), w), + QMAX(backingstore.height(), h), + 32)) { + state = Error; + return -1; + } memset( img.bits(), 0, img.numBytes() ); } for (int ln=0; ln