diff options
author | Slávek Banko <slavek.banko@axis.cz> | 2019-01-28 10:56:46 +0100 |
---|---|---|
committer | Slávek Banko <slavek.banko@axis.cz> | 2019-03-03 15:36:55 +0100 |
commit | 83036c3af1ff5439b9106a31738650c54920e475 (patch) | |
tree | 65931e8857a88f1205e2b659d671ad585acdb247 /src/kernel | |
parent | b7be699a0982bb35f229337616bb24795d4762ed (diff) | |
download | tqt3-83036c3af1ff5439b9106a31738650c54920e475.tar.gz tqt3-83036c3af1ff5439b9106a31738650c54920e475.zip |
Check for TQImage allocation failure in qasyncimageio.
Since image files easily can be (or corrupt files claim to be) huge,
it is worth checking for out of memory situations.
Based on Qt5 patch for CVE-2018-19870.
Signed-off-by: Slávek Banko <slavek.banko@axis.cz>
Diffstat (limited to 'src/kernel')
-rw-r--r-- | src/kernel/qasyncimageio.cpp | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/src/kernel/qasyncimageio.cpp b/src/kernel/qasyncimageio.cpp index a8196e93a..8605c79ad 100644 --- a/src/kernel/qasyncimageio.cpp +++ b/src/kernel/qasyncimageio.cpp @@ -964,9 +964,12 @@ int TQGIFFormat::decode(TQImage& img, TQImageConsumer* consumer, if (backingstore.width() < w || backingstore.height() < h) { // We just use the backing store as a byte array - backingstore.create( TQMAX(backingstore.width(), w), - TQMAX(backingstore.height(), h), - 32); + if(!backingstore.create( TQMAX(backingstore.width(), w), + TQMAX(backingstore.height(), h), + 32)) { + state = Error; + return -1; + } memset( img.bits(), 0, img.numBytes() ); } for (int ln=0; ln<h; ln++) { |