Commit a288a7ba authored by Fabian Vogt's avatar Fabian Vogt
Browse files

thumbnail: Check shm size before writing to it

The SHM is created by the application, which might've done a different size
calculation. Verify that the data fits instead of writing past the end and
crashing.

CCBUG: 430862


(cherry picked from commit 112b67ae)
parent 4ee5b9de
......@@ -288,14 +288,15 @@ void ThumbnailProtocol::get(const QUrl &url)
error(KIO::ERR_INTERNAL, i18n("Failed to attach to shared memory segment %1", shmid));
return;
}
if (img.width() * img.height() > m_width * m_height) {
if( img.format() != QImage::Format_ARGB32 ) { // KIO::PreviewJob and this code below completely ignores colortable :-/,
img = img.convertToFormat(QImage::Format_ARGB32); // so make sure there is none
}
struct shmid_ds shmStat;
if (shmctl(shmid.toInt(), IPC_STAT, &shmStat) == -1 || shmStat.shm_segsz < img.sizeInBytes()) {
error(KIO::ERR_INTERNAL, i18n("Image is too big for the shared memory segment"));
shmdt((char*)shmaddr);
return;
}
if( img.format() != QImage::Format_ARGB32 ) { // KIO::PreviewJob and this code below completely ignores colortable :-/,
img = img.convertToFormat(QImage::Format_ARGB32); // so make sure there is none
}
// Keep in sync with kdelibs/kio/kio/previewjob.cpp
stream << img.width() << img.height() << quint8(img.format());
memcpy(shmaddr, img.bits(), img.sizeInBytes());
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment