Add some sanity and bounds checking

Since QImage does sanity checking for overflows and stuff wrt. dimensions and depth, check for QImage::isNull() as early as possible to see if there's some funky business going on. Also tried to add some checks wherever we wrote to "raw" memory. Unit tests pass, and tested converting some files from https://samples.ffmpeg.org/image-samples/ to pngs, and that seemed to work. Reviewed By: aacid Differential Revision: https://phabricator.kde.org/D24367
2025-07-18 03:54:18 -04:00 · 2019-10-02 17:39:59 +02:00
parent f5b26cc9f9
commit 8562ce18f1
6 changed files with 106 additions and 12 deletions
--- a/src/imageformats/psd.cpp
+++ b/src/imageformats/psd.cpp
@ -171,10 +171,20 @@ static bool LoadPSD(QDataStream &stream, const PSDHeader &header, QImage &img)
        channel_num = 4;
    }
    img = QImage(header.width, header.height, fmt);
+    if (img.isNull()) {
+        qWarning() << "Failed to allocate image, invalid dimensions?" << QSize(header.width, header.height);
+        return false;
+    }
    img.fill(qRgb(0,0,0));

    const quint32 pixel_count = header.height * header.width;

+    // Verify this, as this is used to write into the memory of the QImage
+    if (pixel_count > img.sizeInBytes() / sizeof(QRgb)) {
+        qWarning() << "Invalid pixel count!" << pixel_count << "bytes available:" << img.sizeInBytes();
+        return false;
+    }
+
    QRgb *image_data = reinterpret_cast<QRgb*>(img.bits());

    if (!image_data) {
@ -276,6 +286,11 @@ bool PSDHandler::canRead(QIODevice *device)

    char head[4];
    qint64 readBytes = device->read(head, sizeof(head));
+    if (readBytes < 0) {
+        qWarning() << "Read failed" << device->errorString();
+        return false;
+    }
+
    if (readBytes != sizeof(head)) {
        if (device->isSequential()) {
            while (readBytes > 0) {