From efcfb1918766cf4b0c78949e1be47d3c05707cf8 Mon Sep 17 00:00:00 2001
From: kornes <28986062+kornes@users.noreply.github.com>
Date: Sat, 28 May 2022 11:48:31 +0000
Subject: [PATCH] Add safe checks around use of QImageReader (#3736)

Co-authored-by: pajlada <rasmus.karlsson@pajlada.com>
---
 src/messages/Image.cpp                | 32 +++++++++++++++++++--------
 src/messages/MessageBuilder.cpp       |  1 -
 src/providers/twitch/TwitchBadges.cpp | 14 ++++++++++--
 3 files changed, 35 insertions(+), 12 deletions(-)

diff --git a/src/messages/Image.cpp b/src/messages/Image.cpp
index 89e382fc3..fda0637f6 100644
--- a/src/messages/Image.cpp
+++ b/src/messages/Image.cpp
@@ -138,14 +138,6 @@ namespace detail {
     {
         QVector<Frame<QImage>> frames;
 
-        if (reader.imageCount() == 0)
-        {
-            qCDebug(chatterinoImage)
-                << "Error while reading image" << url.string << ": '"
-                << reader.errorString() << "'";
-            return frames;
-        }
-
         QImage image;
         for (int index = 0; index < reader.imageCount(); ++index)
         {
@@ -413,8 +405,30 @@ void Image::actuallyLoad()
             buffer.open(QIODevice::ReadOnly);
             QImageReader reader(&buffer);
 
+            if (!reader.canRead())
+            {
+                qCDebug(chatterinoImage)
+                    << "Error: image cant be read " << shared->url().string;
+                return Failure;
+            }
+
+            const auto size = reader.size();
+            if (size.isEmpty())
+            {
+                return Failure;
+            }
+
+            // returns 1 for non-animated formats
+            if (reader.imageCount() <= 0)
+            {
+                qCDebug(chatterinoImage)
+                    << "Error: image has less than 1 frame "
+                    << shared->url().string << ": " << reader.errorString();
+                return Failure;
+            }
+
             // use "double" to prevent int overflows
-            if (double(reader.size().width()) * double(reader.size().height()) *
+            if (double(size.width()) * double(size.height()) *
                     double(reader.imageCount()) * 4.0 >
                 double(Image::maxBytesRam))
             {
diff --git a/src/messages/MessageBuilder.cpp b/src/messages/MessageBuilder.cpp
index 376d1fa48..c34fd3b85 100644
--- a/src/messages/MessageBuilder.cpp
+++ b/src/messages/MessageBuilder.cpp
@@ -14,7 +14,6 @@
 #include "util/FormatTime.hpp"
 
 #include <QDateTime>
-#include <QImageReader>
 
 namespace chatterino {
 
diff --git a/src/providers/twitch/TwitchBadges.cpp b/src/providers/twitch/TwitchBadges.cpp
index 4394da9e6..11fe07af5 100644
--- a/src/providers/twitch/TwitchBadges.cpp
+++ b/src/providers/twitch/TwitchBadges.cpp
@@ -204,8 +204,18 @@ void TwitchBadges::loadEmoteImage(const QString &name, ImagePtr image,
             buffer.open(QIODevice::ReadOnly);
             QImageReader reader(&buffer);
 
-            QImage image;
-            if (reader.imageCount() == 0 || !reader.read(&image))
+            if (!reader.canRead() || reader.size().isEmpty())
+            {
+                return Failure;
+            }
+
+            QImage image = reader.read();
+            if (image.isNull())
+            {
+                return Failure;
+            }
+
+            if (reader.imageCount() <= 0)
             {
                 return Failure;
             }