From 1bad780baaa3a50ab6551131517ea32f0333578f Mon Sep 17 00:00:00 2001 From: Albert Astals Cid Date: Tue, 29 Jan 2019 20:36:15 +0100 Subject: [PATCH] xcf: loadHierarchy: Obey the layer.type and not the bpp Otherwise we end up doing uninitialized memory reads on broken/fuzzed files oss-fuzz/12761 --- src/imageformats/xcf.cpp | 42 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/src/imageformats/xcf.cpp b/src/imageformats/xcf.cpp index dea3011..5a33433 100644 --- a/src/imageformats/xcf.cpp +++ b/src/imageformats/xcf.cpp @@ -27,7 +27,7 @@ #include #include #include -// #include +#include #include @@ -970,6 +970,46 @@ bool XCFImageFormat::loadHierarchy(QDataStream &xcf_io, Layer &layer) xcf_io >> width >> height >> bpp >> offset; + // make sure bpp is correct and complain if it is not + switch (layer.type) { + case RGB_GIMAGE: + if (bpp != 3) { + qWarning() << "Found layer of type RGB but with bpp != 3" << bpp; + bpp = 3; + } + break; + case RGBA_GIMAGE: + if (bpp != 4) { + qWarning() << "Found layer of type RGBA but with bpp != 4" << bpp; + bpp = 4; + } + break; + case GRAY_GIMAGE: + if (bpp != 1) { + qWarning() << "Found layer of type Gray but with bpp != 1" << bpp; + bpp = 1; + } + break; + case GRAYA_GIMAGE: + if (bpp != 2) { + qWarning() << "Found layer of type Gray+Alpha but with bpp != 2" << bpp; + bpp = 2; + } + break; + case INDEXED_GIMAGE: + if (bpp != 1) { + qWarning() << "Found layer of type Indexed but with bpp != 1" << bpp; + bpp = 1; + } + break; + case INDEXEDA_GIMAGE: + if (bpp != 2) { + qWarning() << "Found layer of type Indexed+Alpha but with bpp != 2" << bpp; + bpp = 2; + } + break; + } + // GIMP stores images in a "mipmap"-like format (multiple levels of // increasingly lower resolution). Only the top level is used here, // however.