diff options
Diffstat (limited to 'user/qt5-qtimageformats/kde-lts.patch')
-rw-r--r-- | user/qt5-qtimageformats/kde-lts.patch | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/user/qt5-qtimageformats/kde-lts.patch b/user/qt5-qtimageformats/kde-lts.patch new file mode 100644 index 000000000..ff05fd6bb --- /dev/null +++ b/user/qt5-qtimageformats/kde-lts.patch @@ -0,0 +1,78 @@ +From b43e31b9f31ec482ddea2066fda7ca9315512815 Mon Sep 17 00:00:00 2001 +From: Eirik Aavitsland <eirik.aavitsland@qt.io> +Date: Fri, 13 May 2022 11:42:35 +0200 +Subject: [PATCH] Add some basic checking against corrupt input +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: QTBUG-103454 +Pick-to: 6.3 6.2 5.15 +Change-Id: I169b0de8465bc5d90aebfd8250db0361819065c5 +Reviewed-by: Robert Löhning <robert.loehning@qt.io> +(cherry picked from commit 34731687ee77c59607db9d88c6361111631e48c6) +--- + src/plugins/imageformats/icns/qicnshandler.cpp | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/src/plugins/imageformats/icns/qicnshandler.cpp b/src/plugins/imageformats/icns/qicnshandler.cpp +index dde783c..d6fc589 100644 +--- a/src/plugins/imageformats/icns/qicnshandler.cpp ++++ b/src/plugins/imageformats/icns/qicnshandler.cpp +@@ -515,6 +515,9 @@ static bool parseIconEntryInfo(ICNSEntry &icon) + } + icon.height = icon.width; + } ++ // Sanity check ++ if (icon.width == 0 || icon.width > 4096 || icon.depth > 32) ++ return false; + return true; + } + +@@ -685,7 +688,7 @@ bool QICNSHandler::canRead() const + bool QICNSHandler::read(QImage *outImage) + { + QImage img; +- if (!ensureScanned()) { ++ if (!ensureScanned() || m_currentIconIndex >= m_icons.size()) { + qWarning("QICNSHandler::read(): The device wasn't parsed properly!"); + return false; + } +@@ -892,7 +895,7 @@ bool QICNSHandler::scanDevice() + return false; + + const qint64 blockDataOffset = device()->pos(); +- if (!isBlockHeaderValid(blockHeader)) { ++ if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize + filelength - blockDataOffset)) { + qWarning("QICNSHandler::scanDevice(): Failed, bad header at pos %s. OSType \"%s\", length %u", + QByteArray::number(blockDataOffset).constData(), + nameFromOSType(blockHeader.ostype).constData(), blockHeader.length); +@@ -927,11 +930,14 @@ bool QICNSHandler::scanDevice() + case ICNSBlockHeader::TypeOdrp: + // Icns container seems to have an embedded icon variant container + // Let's start a scan for entries +- while (device()->pos() < nextBlockOffset) { ++ while (!stream.atEnd() && device()->pos() < nextBlockOffset) { + ICNSBlockHeader icon; + stream >> icon; ++ if (stream.status() != QDataStream::Ok) ++ return false; + // Check for incorrect variant entry header and stop scan +- if (!isBlockHeaderValid(icon, blockDataLength)) ++ quint64 remaining = blockDataLength - (device()->pos() - blockDataOffset); ++ if (!isBlockHeaderValid(icon, ICNSBlockHeaderSize + remaining)) + break; + if (!addEntry(icon, device()->pos(), blockHeader.ostype)) + return false; +@@ -1003,7 +1009,7 @@ bool QICNSHandler::scanDevice() + break; + } + } +- return true; ++ return (m_icons.size() > 0); + } + + const ICNSEntry &QICNSHandler::getIconMask(const ICNSEntry &icon) const +-- +2.36.0 + |