From 156bac5e54205f7fcd31074c862c0bc72886d03c Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Wed, 13 Feb 2019 23:50:36 +0100
Subject: [PATCH] ras: protect the palette QVector too

oss-fuzz/13068
---
 src/imageformats/ras.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/imageformats/ras.cpp b/src/imageformats/ras.cpp
index f1279e1..f684e2f 100644
--- a/src/imageformats/ras.cpp
+++ b/src/imageformats/ras.cpp
@@ -102,6 +102,13 @@ static bool IsSupported(const RasHeader &head)
 static bool LoadRAS(QDataStream &s, const RasHeader &ras, QImage &img)
 {
     s.device()->seek(RasHeader::SIZE);
+
+    // QVector uses some extra space for stuff, hence the 32 here suggested by thiago
+    if (ras.ColorMapLength > std::numeric_limits<int>::max() - 32) {
+        qWarning() << "LoadRAS() unsupported image color map length in file header" << ras.ColorMapLength;
+        return false;
+    }
+
     // Read palette if needed.
     QVector<quint8> palette(ras.ColorMapLength);
     if (ras.ColorMapType == 1) {