Sanity checks (fuzzer)

I ran a stupid fuzzer on all the plugins in the repo and some plugins needs more sanity checks. - RAS: fixed palette reading on corrupted files - RGB: improved error detection on datastream This patch improves the reading speed of some corrupted files and limit the maximum memory allocation of RAS palette.
2025-05-28 00:30:23 -04:00 · 2024-06-11 22:15:27 +00:00 · 2024-06-11 22:15:27 +00:00 · 863c424390
commit 863c424390
parent bd083ff354
2 changed files with 12 additions and 4 deletions
--- a/src/imageformats/ras.cpp
+++ b/src/imageformats/ras.cpp
@ -221,9 +221,16 @@ static bool LoadRAS(QDataStream &s, const RasHeader &ras, QImage &img)

    // Read palette if needed.
    if (ras.ColorMapType == RAS_COLOR_MAP_TYPE_RGB) {
+        // max 256 rgb elements palette is supported
+        if (ras.ColorMapLength > 768) {
+            return false;
+        }
        QList<quint8> palette(ras.ColorMapLength);
        for (quint32 i = 0; i < ras.ColorMapLength; ++i) {
            s >> palette[i];
+            if (s.status() != QDataStream::Ok) {
+                return false;
+            }
        }
        QList<QRgb> colorTable;
        for (quint32 i = 0, n = ras.ColorMapLength / 3; i < n; ++i) {
@ -233,9 +240,6 @@ static bool LoadRAS(QDataStream &s, const RasHeader &ras, QImage &img)
            colorTable << qRgb(255, 255, 255);
        }
        img.setColorTable(colorTable);
-        if (s.status() != QDataStream::Ok) {
-            return false;
-        }
    }

    LineDecoder dec(s.device(), ras);
--- a/src/imageformats/rgb.cpp
+++ b/src/imageformats/rgb.cpp
@ -360,11 +360,15 @@ bool SGIImage::readImage(QImage &img)
        }

        _lengthtab = new quint32[_numrows];
-        for (l = 0; l < _numrows; l++) {
+        for (l = 0; !_stream.atEnd() && l < _numrows; l++) {
            _stream >> _lengthtab[l];
        }
    }

+    if (_stream.status() != QDataStream::Ok) {
+        return false;
+    }
+
    _data = _dev->readAll();

    // sanity check