51d710adda
Summary: I had a look at some image loading code in kimageformats and found memory corruption bugs (there might be more): - oobwrite4b.xcf: OOB write in kimg_xcf: By overflowing the "size = 3 * ncolors + 4;" calculation, it's possible to make size == 3 or size == 0, which then allows 1 or 4 bytes to be overwritten: https://cgit.kde.org/kimageformats.git/tree/src/imageformats/xcf.cpp?id=3f2552f21b1cdef063c2a93cc95d42a8cf907fcf#n484 The values aren't arbitrary, so AFAICT DoS only. Fix is to move the sanity check for size below the assignment. - oobread.tga: OOB read in kimg_tga: By overflowing the "size = tga.width * tga.height * pixel_size" calculation, it's possible to cause OOB reads later on as the image data array is too small: https://cgit.kde.org/kimageformats.git/tree/src/imageformats/tga.cpp?id=3f2552f21b1cdef063c2a93cc95d42a8cf907fcf#n192 Fix is to use a 64bit integer instead. - oobwrite4b.tga/oobwrite507.tga: OOB write in kimg_tga If RLE is enabled, any size checks are skipped, so it's possible to write either 128 repetitions of an arbitrary four byte value (oobwrite4b.tga) or or 507 arbitrary bytes (oobwrite507.tga) out of bounds. https://cgit.kde.org/kimageformats.git/tree/src/imageformats/tga.cpp?id=3f2552f21b1cdef063c2a93cc95d42a8cf907fcf#n209 Fix is to check for "num" being negative before reading into the buffer. Also, bail out early if there is no more data available (reading a 65kx65k px image from 14B data takes ages otherwise) Test Plan: Stopped crashing and valgrind don't complain anymore. TGA preview still works for valid files. Reviewers: aacid Reviewed By: aacid Subscribers: lbeltrame, kde-frameworks-devel Tags: #frameworks Differential Revision: https://phabricator.kde.org/D18574
KImageFormats
Plugins to allow QImage to support extra file formats.
Introduction
This framework provides additional image format plugins for QtGui. As such it is not required for the compilation of any other software, but may be a runtime requirement for Qt-based software to support certain image formats.
Formats
The following image formats have read-only support:
- Gimp (xcf)
- OpenEXR (exr)
- Photoshop documents (psd)
- Sun Raster (ras)
The following image formats have read and write support:
- Encapsulated PostScript (eps)
- Personal Computer Exchange (pcx)
- SGI images (rgb, rgba, sgi, bw)
- Softimage PIC (pic)
- Targa (tga): supports more formats than Qt's version
- XView (xv)
Contributing
See the QImageIOPlugin documentation for information on how to write a new plugin.
The main difference between this framework and the qimageformats module of Qt is the license. As such, if you write an imageformat plugin and you are willing to sign the Qt Project contributor agreement, it may be better to submit the plugin directly to the Qt Project.
Note that the imageformat plugins provided by this module also provide a desktop file. This is for the benefit of KImageIO in the KDE4 Support framework.
Duplicated Plugins
The TGA plugin supports more formats than Qt's own TGA plugin; specifically, the one provided here supports indexed, greyscale and RLE images (types 1-3 and 9-11), while Qt's plugin only supports type 2 (RGB) files.
The code for this cannot be contributed upstream directly because of licensing. If anyone were willing to write fresh code to improve Qt's TGA plugin, it would allow the TGA plugin in this framework to be removed.
License
This framework is licensed under the LGPLv2.1.
The CMake code in this framework is licensed under the BSD license.