File 0001-Fix-various-OOB-reads-and-writes-in-kimg_tga-and-kim.patch of Package kimageformats.9566

From 20b6fef093ab276a532d015a192e62d7219c939a Mon Sep 17 00:00:00 2001
From: Fabian Vogt <fabian@ritter-vogt.de>
Date: Sun, 20 Jan 2019 12:51:02 +0100
Subject: [PATCH] Fix various OOB reads and writes in kimg_tga and kimg_xcf

Test Plan: No crash anymore.

Reviewers: aacid

Subscribers: kde-frameworks-devel

Tags: #frameworks

Differential Revision: https://phabricator.kde.org/D18574
---
 src/imageformats/tga.cpp | 27 +++++++++++++++++++++++----
 src/imageformats/xcf.cpp |  3 ++-
 2 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/src/imageformats/tga.cpp b/src/imageformats/tga.cpp
index 3a22b45..9217bed 100644
--- a/src/imageformats/tga.cpp
+++ b/src/imageformats/tga.cpp
@@ -189,7 +189,7 @@ static bool LoadTGA(QDataStream &s, const TgaHeader &tga, QImage &img)
     }
 
     uint pixel_size = (tga.pixel_size / 8);
-    uint size = tga.width * tga.height * pixel_size;
+    qint64 size = qint64(tga.width) * qint64(tga.height) * pixel_size;
 
     if (size < 1) {
 //          qDebug() << "This TGA file is broken with size " << size;
@@ -204,20 +204,34 @@ static bool LoadTGA(QDataStream &s, const TgaHeader &tga, QImage &img)
     }
 
     // Allocate image.
-    uchar *const image = new uchar[size];
+    uchar *const image = reinterpret_cast<uchar*>(malloc(size));
+    if (!image) {
+        return false;
+    }
+
+    bool valid = true;
 
     if (info.rle) {
         // Decode image.
         char *dst = (char *)image;
-        int num = size;
+        qint64 num = size;
 
         while (num > 0) {
+            if (s.atEnd()) {
+                valid = false;
+                break;
+            }
+
             // Get packet header.
             uchar c;
             s >> c;
 
             uint count = (c & 0x7f) + 1;
             num -= count * pixel_size;
+            if (num < 0) {
+                valid = false;
+                break;
+            }
 
             if (c & 0x80) {
                 // RLE pixels.
@@ -240,6 +254,11 @@ static bool LoadTGA(QDataStream &s, const TgaHeader &tga, QImage &img)
         s.readRawData((char *)image, size);
     }
 
+    if (!valid) {
+        free(image);
+        return false;
+    }
+
     // Convert image to internal format.
     int y_start, y_step, y_end;
     if (tga.flags & TGA_ORIGIN_UPPER) {
@@ -294,7 +313,7 @@ static bool LoadTGA(QDataStream &s, const TgaHeader &tga, QImage &img)
     }
 
     // Free image.
-    delete [] image;
+    free(image);
 
     return true;
 }
diff --git a/src/imageformats/xcf.cpp b/src/imageformats/xcf.cpp
index 758b65e..824d67a 100644
--- a/src/imageformats/xcf.cpp
+++ b/src/imageformats/xcf.cpp
@@ -489,11 +489,12 @@ bool XCFImageFormat::loadProperty(QDataStream &xcf_io, PropType &type, QByteArra
         quint32 ncolors;
         xcf_io >> ncolors;
 
+        size = 3 * ncolors + 4;
+
         if (size > 65535 || size < 4) {
             return false;
         }
 
-        size = 3 * ncolors + 4;
         data = new char[size];
 
         // since we already read "ncolors" from the stream, we put that data back
-- 
2.20.1