mirror/kimageformats
1
0
Fork 0
mirror of https://invent.kde.org/frameworks/kimageformats.git synced 2025-11-22 10:02:43 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix possible read overflow with malformed data

Browse Source
This commit is contained in:
Mirco Miranda
2025-10-23 08:23:57 +02:00
parent 54c94764d1
commit d6d67c7b8b
1 changed files with 24 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
src/imageformats/chunks.cpp
View File

@ -2419,10 +2419,12 @@ QList<QRgb> BEAMChunk::palette(qint32 y) const
for (auto c = 0; c < col; ++c) { for (auto c = 0; c < col; ++c) {
// 2 bytes per color (0x0R 0xGB) // 2 bytes per color (0x0R 0xGB)
auto idx = bpp * y + c * 2; auto idx = bpp * y + c * 2;
auto r = quint8(dt[idx] & 0x0F); if (idx + 1 < dt.size()) {
auto g = quint8(dt[idx + 1] & 0xF0); auto r = quint8(dt[idx] & 0x0F);
auto b = quint8(dt[idx + 1] & 0x0F); auto g = quint8(dt[idx + 1] & 0xF0);
pal << qRgb(r | (r << 4), (g >> 4) | g, b | (b << 4)); auto b = quint8(dt[idx + 1] & 0x0F);
pal << qRgb(r | (r << 4), (g >> 4) | g, b | (b << 4));
}
} }
return pal; return pal;
} }
@ -2510,10 +2512,12 @@ QList<QRgb> SHAMChunk::palette(qint32 y) const
for (auto c = 0, col = bpp / 2, idx0 = y / div * bpp + 2; c < col; ++c) { for (auto c = 0, col = bpp / 2, idx0 = y / div * bpp + 2; c < col; ++c) {
// 2 bytes per color (0x0R 0xGB) // 2 bytes per color (0x0R 0xGB)
auto idx = idx0 + c * 2; auto idx = idx0 + c * 2;
auto r = quint8(dt[idx] & 0x0F); if (idx + 1 < dt.size()) {
auto g = quint8(dt[idx + 1] & 0xF0); auto r = quint8(dt[idx] & 0x0F);
auto b = quint8(dt[idx + 1] & 0x0F); auto g = quint8(dt[idx + 1] & 0xF0);
pal << qRgb(r | (r << 4), (g >> 4) | g, b | (b << 4)); auto b = quint8(dt[idx + 1] & 0x0F);
pal << qRgb(r | (r << 4), (g >> 4) | g, b | (b << 4));
}
} }
return pal; return pal;
} }
@ -2570,16 +2574,18 @@ QList<QRgb> RASTChunk::palette(qint32 y) const
QList<QRgb> pal; QList<QRgb> pal;
for (auto c = 0; c < col; ++c) { for (auto c = 0; c < col; ++c) {
auto idx = bpp * y + 2 + c * 2; auto idx = bpp * y + 2 + c * 2;
// The Atari ST uses 3 bits per color (512 colors) while the Atari STE if (idx + 1 < dt.size()) {
// uses 4 bits per color (4096 colors). This strange encoding with the // The Atari ST uses 3 bits per color (512 colors) while the Atari STE
// least significant bit set as MSB is, I believe, to ensure hardware // uses 4 bits per color (4096 colors). This strange encoding with the
// compatibility between the two machines. // least significant bit set as MSB is, I believe, to ensure hardware
#define H1L(a) ((quint8(a) & 0x7) << 1) | ((quint8(a) >> 3) & 1) // compatibility between the two machines.
auto r = H1L(dt[idx]); #define H1L(a) ((quint8(a) & 0x7) << 1) | ((quint8(a) >> 3) & 1)
auto g = H1L(dt[idx + 1] >> 4); auto r = H1L(dt[idx]);
auto b = H1L(dt[idx + 1]); auto g = H1L(dt[idx + 1] >> 4);
#undef H1L auto b = H1L(dt[idx + 1]);
pal << qRgb(r | (r << 4), (g << 4) | g, b | (b << 4)); #undef H1L
pal << qRgb(r | (r << 4), (g << 4) | g, b | (b << 4));
}
} }
return pal; return pal;
} }