Fix possible read overflow with malformed data

2026-02-26 00:42:59 -05:00 · 2025-10-23 08:23:57 +02:00
parent 54c94764d1
commit d6d67c7b8b
1 changed files with 24 additions and 18 deletions
--- a/src/imageformats/chunks.cpp
+++ b/src/imageformats/chunks.cpp
@ -2419,11 +2419,13 @@ QList<QRgb> BEAMChunk::palette(qint32 y) const
    for (auto c = 0; c < col; ++c) {
        // 2 bytes per color (0x0R 0xGB)
        auto idx = bpp * y + c * 2;
+        if (idx + 1 < dt.size()) {
            auto r = quint8(dt[idx] & 0x0F);
            auto g = quint8(dt[idx + 1] & 0xF0);
            auto b = quint8(dt[idx + 1] & 0x0F);
            pal << qRgb(r | (r << 4), (g >> 4) | g, b | (b << 4));
        }
+    }
    return pal;
 }

@ -2510,11 +2512,13 @@ QList<QRgb> SHAMChunk::palette(qint32 y) const
    for (auto c = 0, col = bpp / 2, idx0 = y / div * bpp + 2; c < col; ++c) {
        // 2 bytes per color (0x0R 0xGB)
        auto idx = idx0 + c * 2;
+        if (idx + 1 < dt.size()) {
            auto r = quint8(dt[idx] & 0x0F);
            auto g = quint8(dt[idx + 1] & 0xF0);
            auto b = quint8(dt[idx + 1] & 0x0F);
            pal << qRgb(r | (r << 4), (g >> 4) | g, b | (b << 4));
        }
+    }
    return pal;
 }

@ -2570,6 +2574,7 @@ QList<QRgb> RASTChunk::palette(qint32 y) const
    QList<QRgb> pal;
    for (auto c = 0; c < col; ++c) {
        auto idx = bpp * y + 2 + c * 2;
+        if (idx + 1 < dt.size()) {
            // The Atari ST uses 3 bits per color (512 colors) while the Atari STE
            // uses 4 bits per color (4096 colors). This strange encoding with the
            // least significant bit set as MSB is, I believe, to ensure hardware
@ -2581,6 +2586,7 @@ QList<QRgb> RASTChunk::palette(qint32 y) const
            #undef H1L
            pal << qRgb(r | (r << 4), (g << 4) | g, b | (b << 4));
        }
+    }
    return pal;
 }