1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
From efd332516f510144927121fa749ce819b82ec633 Mon Sep 17 00:00:00 2001
From: Samuel Gaist <samuel.gaist@idiap.ch>
Date: Fri, 09 May 2025 17:12:49 +0200
Subject: [PATCH] Fix validation issue for ICNS image
The header validation logic could trigger an assert when an invalid ICNS
image was loaded. This patch fixes the validation logic.
Credit to OSS-Fuzz
Fixes: QTBUG-136707
Pick-to: 6.9 6.8 6.5
Change-Id: I9571b9fd0b53d07ceee9792c9418472e949eff30
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
---
diff --git a/src/plugins/imageformats/icns/qicnshandler.cpp b/src/plugins/imageformats/icns/qicnshandler.cpp
index 6cf74b2..501394d 100644
--- a/src/plugins/imageformats/icns/qicnshandler.cpp
+++ b/src/plugins/imageformats/icns/qicnshandler.cpp
@@ -324,8 +324,11 @@
static inline bool isBlockHeaderValid(const ICNSBlockHeader &header, quint64 bound = 0)
{
- return header.ostype != 0 && (bound == 0
- || qBound(quint64(ICNSBlockHeaderSize), quint64(header.length), bound) == header.length);
+ return header.ostype != 0 &&
+ (bound == 0 ||
+ // qBound can be used but requires checking the limits first
+ // this requires less operations
+ (ICNSBlockHeaderSize <= header.length && header.length <= bound));
}
static inline bool isIconCompressed(const ICNSEntry &icon)
@@ -870,7 +873,7 @@
return false;
const qint64 blockDataOffset = device()->pos();
- if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize + filelength - blockDataOffset)) {
+ if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize - blockDataOffset + filelength)) {
qWarning("QICNSHandler::scanDevice(): Failed, bad header at pos %s. OSType \"%s\", length %u",
QByteArray::number(blockDataOffset).constData(),
nameFromOSType(blockHeader.ostype).constData(), blockHeader.length);
|
