mirror/kimageformats
1
0
Fork 0
mirror of https://invent.kde.org/frameworks/kimageformats.git synced 2025-11-22 10:02:43 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix possible read overflow with malformed data

Browse Source
This commit is contained in:
Mirco Miranda
2025-10-23 08:23:57 +02:00
parent 54c94764d1
commit d6d67c7b8b
1 changed files with 24 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/imageformats/chunks.cpp
View File

@ -2419,11 +2419,13 @@ QList<QRgb> BEAMChunk::palette(qint32 y) const
for (auto c = 0; c < col; ++c) { for (auto c = 0; c < col; ++c) {
// 2 bytes per color (0x0R 0xGB) // 2 bytes per color (0x0R 0xGB)
auto idx = bpp * y + c * 2; auto idx = bpp * y + c * 2;
if (idx + 1 < dt.size()) {
auto r = quint8(dt[idx] & 0x0F); auto r = quint8(dt[idx] & 0x0F);
auto g = quint8(dt[idx + 1] & 0xF0); auto g = quint8(dt[idx + 1] & 0xF0);
auto b = quint8(dt[idx + 1] & 0x0F); auto b = quint8(dt[idx + 1] & 0x0F);
pal << qRgb(r | (r << 4), (g >> 4) | g, b | (b << 4)); pal << qRgb(r | (r << 4), (g >> 4) | g, b | (b << 4));
} }
}
return pal; return pal;
} }
@ -2510,11 +2512,13 @@ QList<QRgb> SHAMChunk::palette(qint32 y) const
for (auto c = 0, col = bpp / 2, idx0 = y / div * bpp + 2; c < col; ++c) { for (auto c = 0, col = bpp / 2, idx0 = y / div * bpp + 2; c < col; ++c) {
// 2 bytes per color (0x0R 0xGB) // 2 bytes per color (0x0R 0xGB)
auto idx = idx0 + c * 2; auto idx = idx0 + c * 2;
if (idx + 1 < dt.size()) {
auto r = quint8(dt[idx] & 0x0F); auto r = quint8(dt[idx] & 0x0F);
auto g = quint8(dt[idx + 1] & 0xF0); auto g = quint8(dt[idx + 1] & 0xF0);
auto b = quint8(dt[idx + 1] & 0x0F); auto b = quint8(dt[idx + 1] & 0x0F);
pal << qRgb(r | (r << 4), (g >> 4) | g, b | (b << 4)); pal << qRgb(r | (r << 4), (g >> 4) | g, b | (b << 4));
} }
}
return pal; return pal;
} }
@ -2570,6 +2574,7 @@ QList<QRgb> RASTChunk::palette(qint32 y) const
QList<QRgb> pal; QList<QRgb> pal;
for (auto c = 0; c < col; ++c) { for (auto c = 0; c < col; ++c) {
auto idx = bpp * y + 2 + c * 2; auto idx = bpp * y + 2 + c * 2;
if (idx + 1 < dt.size()) {
// The Atari ST uses 3 bits per color (512 colors) while the Atari STE // The Atari ST uses 3 bits per color (512 colors) while the Atari STE
// uses 4 bits per color (4096 colors). This strange encoding with the // uses 4 bits per color (4096 colors). This strange encoding with the
// least significant bit set as MSB is, I believe, to ensure hardware // least significant bit set as MSB is, I believe, to ensure hardware
@ -2581,6 +2586,7 @@ QList<QRgb> RASTChunk::palette(qint32 y) const
#undef H1L #undef H1L
pal << qRgb(r | (r << 4), (g << 4) | g, b | (b << 4)); pal << qRgb(r | (r << 4), (g << 4) | g, b | (b << 4));
} }
}
return pal; return pal;
} }