From f1b76c126c476c155af8c404b97c42cd1a709333 Mon Sep 17 00:00:00 2001

From: Lars Knoll <lars.knoll@digia.com>

Date: Thu, 24 Apr 2014 15:33:27 +0200

Subject: [PATCH 23/74] Don't crash on broken GIF images

Broken GIF images could set invalid width and height

values inside the image, leading to Qt creating a null

QImage for it. In that case we need to abort decoding

the image and return an error.

Initial patch by Rich Moore.

Backport of Id82a4036f478bd6e49c402d6598f57e7e5bb5e1e from Qt 5

Task-number: QTBUG-38367

Change-Id: I0680740018aaa8356d267b7af3f01fac3697312a

Security-advisory: CVE-2014-0190

Reviewed-by: Richard J. Moore <rich@kde.org>

---

 src/gui/image/qgifhandler.cpp | 7 +++++++

 1 file changed, 7 insertions(+)

diff --git a/src/gui/image/qgifhandler.cpp b/src/gui/image/qgifhandler.cpp

index 3324f04..5199dd3 100644

--- a/src/gui/image/qgifhandler.cpp

+++ b/src/gui/image/qgifhandler.cpp

@@ -359,6 +359,13 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length,

                     memset(bits, 0, image->byteCount());

                 }

+                // Check if the previous attempt to create the image failed. If it

+                // did then the image is broken and we should give up.

+                if (image->isNull()) {

+                    state = Error;

+                    return -1;

+                }

+

                 disposePrevious(image);

                 disposed = false;

-- 

1.9.3