mirror/kimageformats
1
0
Fork 0
mirror of https://invent.kde.org/frameworks/kimageformats.git synced 2025-06-03 17:08:08 -04:00
Code Issues Packages Projects Releases Wiki Activity
203 Commits 9 Branches 284 Tags
Commit Graph

13 Commits

Author SHA1 Message Date
Albert Astals Cid
a51cbd865f tga: fail gracefully if readRawData errors 
oss-fuzz/12818
 2019-02-03 13:49:11 +01:00
Albert Astals Cid
8e48d67568 Uncomment the qdebug includes 
i've wasted enough time uncommenting and commenting them again
 2019-01-31 01:37:09 +01:00
Albert Astals Cid
8b8330b0fe tga: Fix Use-of-uninitialized-value on broken files 
oss-fuzz/12776
 2019-01-31 01:35:39 +01:00
Albert Astals Cid
18e17d3a7a tga: Don't support more than 8 alpha bits 
Fixes undefined left shift with negative values

oss-fuzz/12764
 2019-01-29 12:39:52 +01:00
Fabian Vogt
51d710adda Fix various OOB reads and writes in kimg_tga and kimg_xcf 
Summary:
I had a look at some image loading code in kimageformats and found memory
corruption bugs (there might be more):

- oobwrite4b.xcf: OOB write in kimg_xcf:

By overflowing the "size = 3 * ncolors + 4;" calculation, it's possible to make
size == 3 or size == 0, which then allows 1 or 4 bytes to be overwritten:
https://cgit.kde.org/kimageformats.git/tree/src/imageformats/xcf.cpp?id=3f2552f21b1cdef063c2a93cc95d42a8cf907fcf#n484
The values aren't arbitrary, so AFAICT DoS only.
Fix is to move the sanity check for size below the assignment.

- oobread.tga: OOB read in kimg_tga:

By overflowing the "size = tga.width * tga.height * pixel_size" calculation,
it's possible to cause OOB reads later on as the image data array is too small:
https://cgit.kde.org/kimageformats.git/tree/src/imageformats/tga.cpp?id=3f2552f21b1cdef063c2a93cc95d42a8cf907fcf#n192
Fix is to use a 64bit integer instead.

- oobwrite4b.tga/oobwrite507.tga: OOB write in kimg_tga

If RLE is enabled, any size checks are skipped, so it's possible to write
either 128 repetitions of an arbitrary four byte value (oobwrite4b.tga)
or or 507 arbitrary bytes (oobwrite507.tga) out of bounds.
https://cgit.kde.org/kimageformats.git/tree/src/imageformats/tga.cpp?id=3f2552f21b1cdef063c2a93cc95d42a8cf907fcf#n209
Fix is to check for "num" being negative before reading into the buffer.

Also, bail out early if there is no more data available (reading a 65kx65k px image from 14B data takes ages otherwise)

Test Plan:
Stopped crashing and valgrind don't complain anymore.

TGA preview still works for valid files.

Reviewers: aacid

Reviewed By: aacid

Subscribers: lbeltrame, kde-frameworks-devel

Tags: #frameworks

Differential Revision: https://phabricator.kde.org/D18574
 2019-01-28 14:21:27 +01:00
Laurent Montel
698ba297d3 We depend against 5.8.0 now 2018-03-27 08:01:04 +02:00
Laurent Montel
e5b226e804 Remove not necessary QtCore and co 2018-03-11 13:49:26 +01:00
Martin Koller
7f2c44add4 Use brace-initializer instead of nullptr in returning 0-QFlags 
Differential Revision: https://phabricator.kde.org/D9182
 2017-12-05 19:34:30 +01:00
Montel Laurent
b040cf0f96 Use Q_FALLTHROUGH 2017-06-02 07:52:48 +02:00
Kevin Funk
740fe5df0e Use nullptr everywhere 
Differential Revision: https://phabricator.kde.org/D3987
 2017-01-16 09:44:17 +01:00
Alex Merry
c9ca1f1862 Rename headers to end with _p.h 
Frameworks have a convention of naming uninstalled headers in src/ with
a _p at the end of the name, to make it clear they are not part of the
API. None of the headers in KImageFormats are installed, so it is not
really necessary to follow this convention, but we follow it anyway for
the benefit of both humans and tools (like kapidox).
 2014-08-03 18:08:49 +01:00
David Faure
02b5e97197 Code reformatted using kde-dev-scripts/astyle-kdelibs. 
Use git blame -w 47df948 to show authorship as it was before this commit.
 2013-12-18 09:54:11 +01:00
Jenkins CI
47df9483fd Move kimageformats code to the root directory. 2013-12-18 00:45:18 +00:00