From f39ca9dc9bff27a7c087fd4fc58c148c0f66914a Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Tue, 14 Jan 2025 00:37:20 +0100
Subject: [PATCH] ani: Read chunk elements one at a time instead all at once

This way if the file is malformed and there's not that many elements we don't
try allocate too much memory to read into

BUGS: 498368
---
 src/imageformats/ani.cpp | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/imageformats/ani.cpp b/src/imageformats/ani.cpp
index 5fa0d46..9c5a935 100644
--- a/src/imageformats/ani.cpp
+++ b/src/imageformats/ani.cpp
@@ -376,16 +376,18 @@ bool ANIHandler::ensureScanned() const
             mutableThis->m_imageCount = aniHeader->nSteps;
             mutableThis->m_displayRate = aniHeader->iDispRate;
         } else if (chunkId == "rate" || chunkId == "seq ") {
-            const QByteArray data = device()->read(chunkSize);
-            if (static_cast<quint32_le>(data.size()) != chunkSize || data.size() % sizeof(quint32_le) != 0) {
+            if (chunkSize % sizeof(quint32_le) != 0) {
                 return false;
             }
 
             // TODO should we check that the number of rate entries matches nSteps?
-            auto *dataPtr = data.data();
             QList<int> list;
-            for (int i = 0; i < data.size(); i += sizeof(quint32_le)) {
-                const auto entry = *(reinterpret_cast<const quint32_le *>(dataPtr + i));
+            for (unsigned int i = 0; i < chunkSize; i += sizeof(quint32_le)) {
+                const QByteArray data = device()->read(sizeof(quint32_le));
+                if (data.size() != sizeof(quint32_le)) {
+                    return false;
+                }
+                const auto entry = *(reinterpret_cast<const quint32_le *>(data.data()));
                 list.append(entry);
             }