Add some sanity and bounds checking

Since QImage does sanity checking for overflows and stuff wrt. dimensions and depth, check for QImage::isNull() as early as possible to see if there's some funky business going on. Also tried to add some checks wherever we wrote to "raw" memory. Unit tests pass, and tested converting some files from https://samples.ffmpeg.org/image-samples/ to pngs, and that seemed to work. Reviewed By: aacid Differential Revision: https://phabricator.kde.org/D24367
2025-07-18 03:54:18 -04:00 · 2019-10-02 17:39:59 +02:00
parent f5b26cc9f9
commit 8562ce18f1
6 changed files with 106 additions and 12 deletions
--- a/src/imageformats/rgb.cpp
+++ b/src/imageformats/rgb.cpp
@ -313,6 +313,10 @@ bool SGIImage::readImage(QImage &img)
    }

    img = QImage(_xsize, _ysize, QImage::Format_RGB32);
+    if (img.isNull()) {
+        qWarning() << "Failed to allocate image, invalid dimensions?" << QSize(_xsize, _ysize);
+        return false;
+    }

    if (_zsize == 0 )
        return false;
@ -470,7 +474,14 @@ bool SGIImage::scanData(const QImage &img)
    uint len;

    for (y = 0; y < _ysize; y++) {
-        c = reinterpret_cast<const QRgb *>(img.scanLine(_ysize - y - 1));
+        const int yPos = _ysize - y - 1; // scanline doesn't do any sanity checking
+        if (yPos >= img.height()) {
+            qWarning() << "Failed to get scanline for" << yPos;
+            return false;
+        }
+
+        c = reinterpret_cast<const QRgb *>(img.scanLine(yPos));
+
        for (x = 0; x < _xsize; x++) {
            buf[x] = intensity(qRed(*c++));
        }
@ -484,7 +495,13 @@ bool SGIImage::scanData(const QImage &img)

    if (_zsize != 2) {
        for (y = 0; y < _ysize; y++) {
-            c = reinterpret_cast<const QRgb *>(img.scanLine(_ysize - y - 1));
+            const int yPos = _ysize - y - 1;
+            if (yPos >= img.height()) {
+                qWarning() << "Failed to get scanline for" << yPos;
+                return false;
+            }
+
+            c = reinterpret_cast<const QRgb *>(img.scanLine(yPos));
            for (x = 0; x < _xsize; x++) {
                buf[x] = intensity(qGreen(*c++));
            }
@ -493,7 +510,13 @@ bool SGIImage::scanData(const QImage &img)
        }

        for (y = 0; y < _ysize; y++) {
-            c = reinterpret_cast<const QRgb *>(img.scanLine(_ysize - y - 1));
+            const int yPos = _ysize - y - 1;
+            if (yPos >= img.height()) {
+                qWarning() << "Failed to get scanline for" << yPos;
+                return false;
+            }
+
+            c = reinterpret_cast<const QRgb *>(img.scanLine(yPos));
            for (x = 0; x < _xsize; x++) {
                buf[x] = intensity(qBlue(*c++));
            }
@ -507,7 +530,13 @@ bool SGIImage::scanData(const QImage &img)
    }

    for (y = 0; y < _ysize; y++) {
-        c = reinterpret_cast<const QRgb *>(img.scanLine(_ysize - y - 1));
+        const int yPos = _ysize - y - 1;
+        if (yPos >= img.height()) {
+            qWarning() << "Failed to get scanline for" << yPos;
+            return false;
+        }
+
+        c = reinterpret_cast<const QRgb *>(img.scanLine(yPos));
        for (x = 0; x < _xsize; x++) {
            buf[x] = intensity(qAlpha(*c++));
        }