Overview

File 0007-Avoid-potential-ub-in-corrupt-bmp-file.patch of Package libqt5-qtbase.23098

From 7703ab5b1e825700d78785c7c6ef4e3d8bccfc3e Mon Sep 17 00:00:00 2001
From: Eirik Aavitsland <eirik.aavitsland@qt.io>
Date: Mon, 15 Jun 2020 15:57:05 +0200
Subject: [PATCH 07/11] Avoid potential ub in corrupt bmp file

biHeight may be int_min, in which case qAbs<int>() will not work.

Fixes: oss-fuzz-22997
Change-Id: Ic07d5aa0b4e4f2b6395e1a12d742e31b5282fdfc
Reviewed-by: Robert Loehning <robert.loehning@qt.io>
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
(cherry picked from commit 6f909a5178296855cdd53b053ced9c551a2474a6)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
(cherry picked from commit 12994284f443d9d4c2c86fd453ce6154b8da401f)
---
 src/gui/image/qbmphandler.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
index 7257853c3e..4042439e6e 100644
--- a/src/gui/image/qbmphandler.cpp
+++ b/src/gui/image/qbmphandler.cpp
@@ -188,6 +188,8 @@ static bool read_dib_infoheader(QDataStream &s, BMP_INFOHDR &bi)
     if (!(comp == BMP_RGB || (nbits == 4 && comp == BMP_RLE4) ||
         (nbits == 8 && comp == BMP_RLE8) || ((nbits == 16 || nbits == 32) && comp == BMP_BITFIELDS)))
          return false;                                // weird compression type
+    if (bi.biHeight == INT_MIN)
+        return false; // out of range for positive int
     if (bi.biWidth <= 0 || !bi.biHeight || quint64(bi.biWidth) * qAbs(bi.biHeight) > 16384 * 16384)
         return false;
 
-- 
2.25.1
openSUSE Build Service is sponsored by
Places