diff options
author | Eirik Aavitsland <eirik.aavitsland@qt.io> | 2021-03-02 16:57:15 +0100 |
---|---|---|
committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2021-03-03 13:31:47 +0000 |
commit | 25341cf53dfa36c83b74c125c260c72d2477ba5d (patch) | |
tree | 76e7ff05167f0204e69b6448301ba434ea262e70 | |
parent | 7addba23d17b7c29a9a8247699fc3f0617d8e6c4 (diff) | |
download | qtimageformats-25341cf53dfa36c83b74c125c260c72d2477ba5d.tar.gz |
Check that the actual scanlines to be read by libtiff are not
wider than expected.
This issue was reported by Samuel Groß and Natalie Silvanovich of
Google Project Zero.
Change-Id: I2af818d5a3c57643747a7fbfac8bb934cd79efd7
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
(cherry picked from commit 124d950b34a4b5f3bc7f1fa34336f882dbc3edc5)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
-rw-r--r-- | src/plugins/imageformats/tiff/qtiffhandler.cpp | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/plugins/imageformats/tiff/qtiffhandler.cpp b/src/plugins/imageformats/tiff/qtiffhandler.cpp index 9107425..2df5152 100644 --- a/src/plugins/imageformats/tiff/qtiffhandler.cpp +++ b/src/plugins/imageformats/tiff/qtiffhandler.cpp @@ -442,6 +442,10 @@ bool QTiffHandler::read(QImage *image) } _TIFFfree(buf); } else { + if (image->bytesPerLine() < TIFFScanlineSize(tiff)) { + d->close(); + return false; + } for (uint32 y=0; y<height; ++y) { if (TIFFReadScanline(tiff, image->scanLine(y), y, 0) < 0) { d->close(); |