Avoid scanline overflow when reading corrupt tiffs

Check that the actual scanlines to be read by libtiff are not wider than expected. This issue was reported by Samuel Groß and Natalie Silvanovich of Google Project Zero. Pick-to: 6.1 6.0 5.15 5.12 Change-Id: I2af818d5a3c57643747a7fbfac8bb934cd79efd7 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Eirik Aavitsland <eirik.aavitsland@qt.io> 2021-03-02 16:57:15 +0100
committer: Eirik Aavitsland <eirik.aavitsland@qt.io> 2021-03-03 12:35:26 +0100
commit: 124d950b34a4b5f3bc7f1fa34336f882dbc3edc5 (patch)
tree: 8c63a1526bc8761e72ee712b62abde84d8c06366 /src
parent: fdf7f8f8c8e1c7b41a7315195efe876250ac9c35 (diff)
download: qtimageformats-124d950b34a4b5f3bc7f1fa34336f882dbc3edc5.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/src/plugins/imageformats/tiff/qtiffhandler.cpp b/src/plugins/imageformats/tiff/qtiffhandler.cpp
index d9e5478..2f32b6d 100644
--- a/src/plugins/imageformats/tiff/qtiffhandler.cpp
+++ b/src/plugins/imageformats/tiff/qtiffhandler.cpp
@@ -453,6 +453,10 @@ bool QTiffHandler::read(QImage *image)
             }
             _TIFFfree(buf);
         } else {
+            if (image->bytesPerLine() < TIFFScanlineSize(tiff)) {
+                d->close();
+                return false;
+            }
             for (uint32 y=0; y<height; ++y) {
                 if (TIFFReadScanline(tiff, image->scanLine(y), y, 0) < 0) {
                     d->close();
author	Eirik Aavitsland <eirik.aavitsland@qt.io>	2021-03-02 16:57:15 +0100
committer	Eirik Aavitsland <eirik.aavitsland@qt.io>	2021-03-03 12:35:26 +0100
commit	124d950b34a4b5f3bc7f1fa34336f882dbc3edc5 (patch)
tree	8c63a1526bc8761e72ee712b62abde84d8c06366 /src
parent	fdf7f8f8c8e1c7b41a7315195efe876250ac9c35 (diff)
download	qtimageformats-124d950b34a4b5f3bc7f1fa34336f882dbc3edc5.tar.gz