diff options
author | Robert Löhning <robert.loehning@qt.io> | 2023-01-05 23:45:43 +0100 |
---|---|---|
committer | Christian Ehrlicher <ch.ehrlicher@gmx.de> | 2023-01-09 21:32:59 +0000 |
commit | feb7864054886bfb8a99d0f8e3a06ae120f97e62 (patch) | |
tree | 1cb6a52868d81f6744b950a915b7d1fd713c6215 /src | |
parent | 958ffd839a32ab11a1793ab2ce0e7f4868df0276 (diff) | |
download | qtimageformats-feb7864054886bfb8a99d0f8e3a06ae120f97e62.tar.gz |
TGA Plugin: Fix reading of CMapDepth
It's specified to be one byte but the old code used to read an int of
two bytes. Maybe this wasn't noticed because the following byte often
has a value of zero.
This fixes oss-fuzz issue 50741 which is an integer
overflow resulting from the too large value.
[ChangeLog] Fixed reading of TGA files with a non-zero X-origin
Pick-to: 6.5 6.4 6.2 5.15
Change-Id: I989bffd0e4e03caf6737e1ce085247ed54e40db0
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
Reviewed-by: Robert Löhning <robert.loehning@qt.io>
Diffstat (limited to 'src')
-rw-r--r-- | src/plugins/imageformats/tga/qtgafile.cpp | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/src/plugins/imageformats/tga/qtgafile.cpp b/src/plugins/imageformats/tga/qtgafile.cpp index a1c0e05..f1b9af3 100644 --- a/src/plugins/imageformats/tga/qtgafile.cpp +++ b/src/plugins/imageformats/tga/qtgafile.cpp @@ -185,9 +185,18 @@ QImage QTgaFile::readImage() int offset = mHeader[IdLength]; // Mostly always zero - // Even in TrueColor files a color pallette may be present - if (mHeader[ColorMapType] == 1) - offset += littleEndianInt(&mHeader[CMapLength]) * littleEndianInt(&mHeader[CMapDepth]); + // Even in TrueColor files a color palette may be present so we have to check it here + // even we only support image type 2 (= uncompressed true-color image) + if (mHeader[ColorMapType] == 1) { + int cmapDepth = mHeader[CMapDepth]; + if (cmapDepth == 15) // 15 bit is stored as 16 bit + ignoring the highest bit (no alpha) + cmapDepth = 16; + if (cmapDepth != 16 && cmapDepth != 24 && cmapDepth != 32) { + mErrorMessage = tr("Invalid color map depth (%1)").arg(cmapDepth); + return {}; + } + offset += littleEndianInt(&mHeader[CMapLength]) * cmapDepth / 8; + } mDevice->seek(HeaderSize + offset); |