Summary:
Seems only gcc can do a constexpr with strlen.
This fixes the build with clang, hopefully to with MSVC?
Reviewers: svuorela
Reviewed By: svuorela
Subscribers: svuorela, apol, pino, kde-frameworks-devel
Tags: #frameworks
Differential Revision: https://phabricator.kde.org/D20149
Summary:
As one can see in SGIImage::readImage the accepted images are
_stream >> u16;
if (u16 != 0x01da) {
return false;
}
_stream >> _rle;
if (_rle > 1) {
return false;
}
so not only \x01\xda\x01 but also \x01\xda\x00
Reviewers: svuorela
Reviewed By: svuorela
Subscribers: svuorela, kde-frameworks-devel
Tags: #frameworks
Differential Revision: https://phabricator.kde.org/D20145
Replace QVector::operator[] with QVector::value() since we can't know for
sure the values will be on range so use value() that gives us a 0 if the
index is not on range
oss-fuzz/13462
Qt also has a tga image plugin so unless we make sure ours is used first
tests are not testing what they should
On a side note their plugin fails our tests so someone with enough time
should report the failures to them
Summary:
I had a look at some image loading code in kimageformats and found memory
corruption bugs (there might be more):
- oobwrite4b.xcf: OOB write in kimg_xcf:
By overflowing the "size = 3 * ncolors + 4;" calculation, it's possible to make
size == 3 or size == 0, which then allows 1 or 4 bytes to be overwritten:
https://cgit.kde.org/kimageformats.git/tree/src/imageformats/xcf.cpp?id=3f2552f21b1cdef063c2a93cc95d42a8cf907fcf#n484
The values aren't arbitrary, so AFAICT DoS only.
Fix is to move the sanity check for size below the assignment.
- oobread.tga: OOB read in kimg_tga:
By overflowing the "size = tga.width * tga.height * pixel_size" calculation,
it's possible to cause OOB reads later on as the image data array is too small:
https://cgit.kde.org/kimageformats.git/tree/src/imageformats/tga.cpp?id=3f2552f21b1cdef063c2a93cc95d42a8cf907fcf#n192
Fix is to use a 64bit integer instead.
- oobwrite4b.tga/oobwrite507.tga: OOB write in kimg_tga
If RLE is enabled, any size checks are skipped, so it's possible to write
either 128 repetitions of an arbitrary four byte value (oobwrite4b.tga)
or or 507 arbitrary bytes (oobwrite507.tga) out of bounds.
https://cgit.kde.org/kimageformats.git/tree/src/imageformats/tga.cpp?id=3f2552f21b1cdef063c2a93cc95d42a8cf907fcf#n209
Fix is to check for "num" being negative before reading into the buffer.
Also, bail out early if there is no more data available (reading a 65kx65k px image from 14B data takes ages otherwise)
Test Plan:
Stopped crashing and valgrind don't complain anymore.
TGA preview still works for valid files.
Reviewers: aacid
Reviewed By: aacid
Subscribers: lbeltrame, kde-frameworks-devel
Tags: #frameworks
Differential Revision: https://phabricator.kde.org/D18574
