Fix UB in webp decode and memory leak in encoder

Ensure the ICC block is aligned before parsing and clear the writer after we have initialized it. Fixes: QTBUG-84267 Change-Id: I7e16ee7663dbe404b4819769deab7d9c9b6c8f20 Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io> (cherry picked from commit b761ff58d6d7b0604d88d6bd332b4470044ffe6a) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2020-05-18 13:51:09 +0200
committer: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> 2020-05-18 14:09:00 +0000
commit: 1a790ba6151a3128b49d3dc556d3373dbda9f9d1 (patch)
tree: a1defeeff05e2971abfe9ffaa740d654eecb4acd
parent: ec15f82b67b851d9dc789cc292c662a988100534 (diff)
download: qtimageformats-1a790ba6151a3128b49d3dc556d3373dbda9f9d1.tar.gz
1 files changed, 7 insertions, 2 deletions
diff --git a/src/plugins/imageformats/webp/qwebphandler.cpp b/src/plugins/imageformats/webp/qwebphandler.cpp
index c1898d0..82d38cb 100644
--- a/src/plugins/imageformats/webp/qwebphandler.cpp
+++ b/src/plugins/imageformats/webp/qwebphandler.cpp
@@ -167,8 +167,11 @@ bool QWebpHandler::read(QImage *image)
         // Read global meta-data chunks first
         WebPChunkIterator metaDataIter;
         if ((m_formatFlags & ICCP_FLAG) && WebPDemuxGetChunk(m_demuxer, "ICCP", 1, &metaDataIter)) {
-            const QByteArray iccProfile = QByteArray::fromRawData(reinterpret_cast<const char *>(metaDataIter.chunk.bytes),
-                                                                  metaDataIter.chunk.size);
+            QByteArray iccProfile = QByteArray::fromRawData(reinterpret_cast<const char *>(metaDataIter.chunk.bytes),
+                                                            metaDataIter.chunk.size);
+            // Ensure the profile is 4-byte aligned.
+            if (reinterpret_cast<qintptr>(iccProfile.constData()) & 0x3)
+                iccProfile.detach();
             m_colorSpace = QColorSpace::fromIccProfile(iccProfile);
             // ### consider parsing EXIF and/or XMP metadata too.
             WebPDemuxReleaseChunkIterator(&metaDataIter);
@@ -288,6 +291,7 @@ bool QWebpHandler::write(const QImage &image)
     if (!WebPEncode(&config, &picture)) {
         qWarning() << "failed to encode webp picture, error code: " << picture.error_code;
         WebPPictureFree(&picture);
+        WebPMemoryWriterClear(&writer);
         return false;
     }
 
@@ -336,6 +340,7 @@ bool QWebpHandler::write(const QImage &image)
                    static_cast<size_t>(device()->write(reinterpret_cast<const char *>(writer.mem), writer.size)));
     }
     WebPPictureFree(&picture);
+    WebPMemoryWriterClear(&writer);
 
     return res;
 }
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2020-05-18 13:51:09 +0200
committer	Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>	2020-05-18 14:09:00 +0000
commit	1a790ba6151a3128b49d3dc556d3373dbda9f9d1 (patch)
tree	a1defeeff05e2971abfe9ffaa740d654eecb4acd
parent	ec15f82b67b851d9dc789cc292c662a988100534 (diff)
download	qtimageformats-1a790ba6151a3128b49d3dc556d3373dbda9f9d1.tar.gz