-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

diff -u -3 -d -p -r1.4 -r1.4.2.1
- --- exr.cpp	22 Nov 2004 03:48:27 -0000	1.4
+++ exr.cpp	19 Apr 2005 10:48:00 -0000	1.4.2.1
@@ -136,6 +136,8 @@ KDE_EXPORT void kimgio_exr_read( QImageI
         file.readPixels (dw.min.y, dw.max.y);
 
 		QImage image(width, height, 32, 0, QImage::BigEndian);
+		if( image.isNull())
+			return;
 
 		// somehow copy pixels into image
 		for ( int y=0; y < height; y++ ) {
diff -u -3 -d -p -r1.4 -r1.4.2.1
- --- g3r.cpp	22 Nov 2004 03:48:27 -0000	1.4
+++ g3r.cpp	18 Apr 2005 13:08:44 -0000	1.4.2.1
@@ -28,7 +28,7 @@ KDE_EXPORT void kimgio_g3_read( QImageIO
 
   QImage image(width, height, 1, 0, QImage::BigEndian);
   
- -  if (scanlength != image.bytesPerLine())
+  if (image.isNull() || scanlength != image.bytesPerLine())
     {
       TIFFClose(tiff);
       return;
diff -u -3 -d -p -r1.14 -r1.14.2.1
- --- jp2.cpp	22 Nov 2004 03:48:27 -0000	1.14
+++ jp2.cpp	19 Apr 2005 10:48:00 -0000	1.14.2.1
@@ -157,8 +157,9 @@ namespace {
 	void
 	draw_view_gray( gs_t& gs, QImage& qti )
 	{
- -		qti.create( jas_image_width( gs.image ), jas_image_height( gs.image ),
- -			8, 256 );
+		if( !qti.create( jas_image_width( gs.image ), jas_image_height( gs.image ),
+			8, 256 ))
+			return;
 		for( int i = 0; i < 256; ++i )
 			qti.setColor( i, qRgb( i, i, i ) );
 
diff -u -3 -d -p -r1.12 -r1.12.2.2
- --- pcx.cpp	22 Nov 2004 03:48:27 -0000	1.12
+++ pcx.cpp	19 Apr 2005 10:48:00 -0000	1.12.2.2
@@ -1,5 +1,5 @@
 /* This file is part of the KDE project
- -   Copyright (C) 2002-2003 Nadeem Hasan <nhasan@kde.org>
+   Copyright (C) 2002-2005 Nadeem Hasan <nhasan@kde.org>
 
    This program is free software; you can redistribute it and/or
    modify it under the terms of the GNU Lesser General Public
@@ -44,6 +44,11 @@ static QDataStream &operator>>( QDataStr
   s >> ph.HScreenSize;
   s >> ph.VScreenSize;
 
+  // Skip the rest of the header
+  Q_UINT8 byte;
+  while ( s.device()->at() < 128 )
+    s >> byte;
+
   return s;
 }
 
@@ -85,25 +90,22 @@ static QDataStream &operator<<( QDataStr
   return s;
 }
 
- -static PCXHEADER header;
- -static QImage img;
- -static Q_UINT16 w, h;
- -
- -void PCXHEADER::reset()
+PCXHEADER::PCXHEADER()
 {
+  // Initialize all data to zero
   QByteArray dummy( 128 );
   dummy.fill( 0 );
   QDataStream s( dummy, IO_ReadOnly );
   s >> *this;
 }
 
- -static void readLine( QDataStream &s, QByteArray &buf )
+static void readLine( QDataStream &s, QByteArray &buf, const PCXHEADER &header )
 {
   Q_UINT32 i=0;
   Q_UINT32 size = buf.size();
   Q_UINT8 byte, count;
 
- -  if ( header.Encoding == 1 )
+  if ( header.isCompressed() )
   {
     // Uncompress the image data
     while ( i < size )
@@ -130,13 +132,14 @@ static void readLine( QDataStream &s, QB
   }
 }
 
- -static void readImage1( QDataStream &s )
+static void readImage1( QImage &img, QDataStream &s, const PCXHEADER &header )
 {
   QByteArray buf( header.BytesPerLine );
 
- -  img.create( w, h, 1, 2, QImage::BigEndian );
+  if(!img.create( header.width(), header.height(), 1, 2, QImage::BigEndian ))
+    return;
 
- -  for ( int y=0; y<h; ++y )
+  for ( int y=0; y<header.height(); ++y )
   {
     if ( s.atEnd() )
     {
@@ -144,10 +147,11 @@ static void readImage1( QDataStream &s )
       return;
     }
 
- -    readLine( s, buf );
- -
- -    for ( int x=0; x<header.BytesPerLine; ++x )
- -      *( img.scanLine( y )+x ) = buf[ x ];
+    readLine( s, buf, header );
+    uchar *p = img.scanLine( y );
+    unsigned int bpl = QMIN((header.width()+7)/8, header.BytesPerLine);
+    for ( unsigned int x=0; x< bpl; ++x )
+      p[ x ] = buf[x];
   }
 
   // Set the color palette
@@ -155,14 +159,15 @@ static void readImage1( QDataStream &s )
   img.setColor( 1, qRgb( 255, 255, 255 ) );
 }
 
- -static void readImage4( QDataStream &s )
+static void readImage4( QImage &img, QDataStream &s, const PCXHEADER &header )
 {
   QByteArray buf( header.BytesPerLine*4 );
- -  QByteArray pixbuf( w );
+  QByteArray pixbuf( header.width() );
 
- -  img.create( w, h, 8, 16, QImage::IgnoreEndian );
+  if(!img.create( header.width(), header.height(), 8, 16 ))
+    return;
 
- -  for ( int y=0; y<h; ++y )
+  for ( int y=0; y<header.height(); ++y )
   {
     if ( s.atEnd() )
     {
@@ -171,20 +176,19 @@ static void readImage4( QDataStream &s )
     }
 
     pixbuf.fill( 0 );
- -    readLine( s, buf );
+    readLine( s, buf, header );
 
     for ( int i=0; i<4; i++ )
     {
       Q_UINT32 offset = i*header.BytesPerLine;
- -      for ( int x=0; x<w; ++x )
+      for ( unsigned int x=0; x<header.width(); ++x )
         if ( buf[ offset + ( x/8 ) ] & ( 128 >> ( x%8 ) ) )
           pixbuf[ x ] += ( 1 << i );
     }
 
     uchar *p = img.scanLine( y );
- -
- -    for ( int x=0; x<w; ++x )
- -      *p++ = pixbuf[ x ];
+    for ( unsigned int x=0; x<header.width(); ++x )
+      p[ x ] = pixbuf[ x ];
   }
 
   // Read the palette
@@ -192,13 +196,14 @@ static void readImage4( QDataStream &s )
     img.setColor( i, header.ColorMap.color( i ) );
 }
 
- -static void readImage8( QDataStream &s )
+static void readImage8( QImage &img, QDataStream &s, const PCXHEADER &header )
 {
   QByteArray buf( header.BytesPerLine );
 
- -  img.create( w, h, 8, 256, QImage::IgnoreEndian );
+  if(!img.create( header.width(), header.height(), 8, 256 ))
+    return;
 
- -  for ( int y=0; y<h; ++y )
+  for ( int y=0; y<header.height(); ++y )
   {
     if ( s.atEnd() )
     {
@@ -206,19 +211,19 @@ static void readImage8( QDataStream &s )
       return;
     }
 
- -    readLine( s, buf );
+    readLine( s, buf, header );
 
     uchar *p = img.scanLine( y );
- -
- -    for ( int x=0; x<header.BytesPerLine; ++x )
- -      *p++ = buf[ x ];
+    unsigned int bpl = QMIN(header.BytesPerLine, header.width());
+    for ( unsigned int x=0; x<bpl; ++x )
+      p[ x ] = buf[ x ];
   }
 
   Q_UINT8 flag;
   s >> flag;
- -  kdDebug() << "Flag: " << flag << endl;
+  kdDebug( 399 ) << "Palette Flag: " << flag << endl;
 
- -  if ( flag == 12 && header.Version == 5 )
+  if ( flag == 12 && ( header.Version == 5 || header.Version == 2 ) )
   {
     // Read the palette
     Q_UINT8 r, g, b;
@@ -230,15 +235,16 @@ static void readImage8( QDataStream &s )
   }
 }
 
- -static void readImage24( QDataStream &s )
+static void readImage24( QImage &img, QDataStream &s, const PCXHEADER &header )
 {
   QByteArray r_buf( header.BytesPerLine );
   QByteArray g_buf( header.BytesPerLine );
   QByteArray b_buf( header.BytesPerLine );
 
- -  img.create( w, h, 32 );
+  if(!img.create( header.width(), header.height(), 32 ))
+    return;
 
- -  for ( int y=0; y<h; ++y )
+  for ( int y=0; y<header.height(); ++y )
   {
     if ( s.atEnd() )
     {
@@ -246,14 +252,13 @@ static void readImage24( QDataStream &s 
       return;
     }
 
- -    readLine( s, r_buf );
- -    readLine( s, g_buf );
- -    readLine( s, b_buf );
+    readLine( s, r_buf, header );
+    readLine( s, g_buf, header );
+    readLine( s, b_buf, header );
 
     uint *p = ( uint * )img.scanLine( y );
- -
- -    for ( int x=0; x<header.BytesPerLine; ++x )
- -      *p++ = qRgb( r_buf[ x ], g_buf[ x ], b_buf[ x ] );
+    for ( unsigned int x=0; x<header.width(); ++x )
+      p[ x ] = qRgb( r_buf[ x ], g_buf[ x ], b_buf[ x ] );
   }
 }
 
@@ -268,6 +273,8 @@ KDE_EXPORT void kimgio_pcx_read( QImageI
     return;
   }
 
+  PCXHEADER header;
+
   s >> header;
 
   if ( header.Manufacturer != 10 || s.atEnd())
@@ -276,10 +283,8 @@ KDE_EXPORT void kimgio_pcx_read( QImageI
     return;
   }
 
- -  w = ( header.XMax-header.XMin ) + 1;
- -  h = ( header.YMax-header.YMin ) + 1;
- -
- -  img.reset();
+  int w = header.width();
+  int h = header.height();
 
   kdDebug( 399 ) << "Manufacturer: " << header.Manufacturer << endl;
   kdDebug( 399 ) << "Version: " << header.Version << endl;
@@ -288,30 +293,27 @@ KDE_EXPORT void kimgio_pcx_read( QImageI
   kdDebug( 399 ) << "Width: " << w << endl;
   kdDebug( 399 ) << "Height: " << h << endl;
   kdDebug( 399 ) << "Window: " << header.XMin << "," << header.XMax << "," 
- -            << header.YMin << "," << header.YMax << endl;
+                 << header.YMin << "," << header.YMax << endl;
   kdDebug( 399 ) << "BytesPerLine: " << header.BytesPerLine << endl;
   kdDebug( 399 ) << "NPlanes: " << header.NPlanes << endl;
 
- -  // Skip the rest of the header
- -  Q_UINT8 byte;
- -  while ( s.device()->at() < 128 )
- -    s >> byte;
+  QImage img;
 
   if ( header.Bpp == 1 && header.NPlanes == 1 )
   {
- -    readImage1( s );
+    readImage1( img, s, header );
   }
   else if ( header.Bpp == 1 && header.NPlanes == 4 )
   {
- -    readImage4( s );
+    readImage4( img, s, header );
   }
   else if ( header.Bpp == 8 && header.NPlanes == 1 )
   {
- -    readImage8( s );
+    readImage8( img, s, header );
   }
   else if ( header.Bpp == 8 && header.NPlanes == 3 )
   {
- -    readImage24( s );
+    readImage24( img, s, header );
   }
 
   kdDebug( 399 ) << "Image Bytes: " << img.numBytes() << endl;
@@ -359,7 +361,7 @@ static void writeLine( QDataStream &s, Q
   }
 }
 
- -static void writeImage1( QDataStream &s )
+static void writeImage1( QImage &img, QDataStream &s, PCXHEADER &header )
 {
   img = img.convertBitOrder( QImage::BigEndian );
 
@@ -367,29 +369,27 @@ static void writeImage1( QDataStream &s 
   header.NPlanes = 1;
   header.BytesPerLine = img.bytesPerLine();
 
- -  header.ColorMap.setColor( 0, qRgb( 0, 0, 0 ) );
- -  header.ColorMap.setColor( 1, qRgb( 255, 255, 255 ) );
- -
   s << header;
 
   QByteArray buf( header.BytesPerLine );
 
- -  for ( int y=0; y<h; ++y )
+  for ( int y=0; y<header.height(); ++y )
   {
     Q_UINT8 *p = img.scanLine( y );
 
+    // Invert as QImage uses reverse palette for monochrome images?
     for ( int i=0; i<header.BytesPerLine; ++i )
- -      buf[ i ] = p[ i ];
+      buf[ i ] = ~p[ i ];
 
     writeLine( s, buf );
   }
 }
 
- -static void writeImage4( QDataStream &s )
+static void writeImage4( QImage &img, QDataStream &s, PCXHEADER &header )
 {
   header.Bpp = 1;
   header.NPlanes = 4;
- -  header.BytesPerLine = w/8;
+  header.BytesPerLine = header.width()/8;
 
   for ( int i=0; i<16; ++i )
     header.ColorMap.setColor( i, img.color( i ) );
@@ -401,14 +401,14 @@ static void writeImage4( QDataStream &s 
   for ( int i=0; i<4; ++i )
       buf[ i ].resize( header.BytesPerLine );
 
- -  for ( int y=0; y<h; ++y )
+  for ( int y=0; y<header.height(); ++y )
   {
     Q_UINT8 *p = img.scanLine( y );
 
     for ( int i=0; i<4; ++i )
       buf[ i ].fill( 0 );
 
- -    for ( int x=0; x<w; ++x )
+    for ( unsigned int x=0; x<header.width(); ++x )
     {
       for ( int i=0; i<4; ++i )
         if ( *( p+x ) & ( 1 << i ) )
@@ -420,7 +420,7 @@ static void writeImage4( QDataStream &s 
   }
 }
 
- -static void writeImage8( QDataStream &s )
+static void writeImage8( QImage &img, QDataStream &s, PCXHEADER &header )
 {
   header.Bpp = 8;
   header.NPlanes = 1;
@@ -430,7 +430,7 @@ static void writeImage8( QDataStream &s 
 
   QByteArray buf( header.BytesPerLine );
 
- -  for ( int y=0; y<h; ++y )
+  for ( int y=0; y<header.height(); ++y )
   {
     Q_UINT8 *p = img.scanLine( y );
 
@@ -449,23 +449,23 @@ static void writeImage8( QDataStream &s 
     s << RGB( img.color( i ) );
 }
 
- -static void writeImage24( QDataStream &s )
+static void writeImage24( QImage &img, QDataStream &s, PCXHEADER &header )
 {
   header.Bpp = 8;
   header.NPlanes = 3;
- -  header.BytesPerLine = w;
+  header.BytesPerLine = header.width();
 
   s << header;
 
- -  QByteArray r_buf( w );
- -  QByteArray g_buf( w );
- -  QByteArray b_buf( w );
+  QByteArray r_buf( header.width() );
+  QByteArray g_buf( header.width() );
+  QByteArray b_buf( header.width() );
 
- -  for ( int y=0; y<h; ++y )
+  for ( int y=0; y<header.height(); ++y )
   {
     uint *p = ( uint * )img.scanLine( y );
 
- -    for ( int x=0; x<w; ++x )
+    for ( unsigned int x=0; x<header.width(); ++x )
     {
       QRgb rgb = *p++;
       r_buf[ x ] = qRed( rgb );
@@ -484,10 +484,10 @@ KDE_EXPORT void kimgio_pcx_write( QImage
   QDataStream s( io->ioDevice() );
   s.setByteOrder( QDataStream::LittleEndian );
 
- -  img = io->image();
+  QImage img = io->image();
 
- -  w = img.width();
- -  h = img.height();
+  int w = img.width();
+  int h = img.height();
 
   kdDebug( 399 ) << "Width: " << w << endl;
   kdDebug( 399 ) << "Height: " << h << endl;
@@ -495,6 +495,8 @@ KDE_EXPORT void kimgio_pcx_write( QImage
   kdDebug( 399 ) << "BytesPerLine: " << img.bytesPerLine() << endl;
   kdDebug( 399 ) << "Num Colors: " << img.numColors() << endl;
 
+  PCXHEADER header;
+
   header.Manufacturer = 10;
   header.Version = 5;
   header.Encoding = 1;
@@ -509,19 +511,19 @@ KDE_EXPORT void kimgio_pcx_write( QImage
 
   if ( img.depth() == 1 )
   {
- -    writeImage1( s );
+    writeImage1( img, s, header );
   }
   else if ( img.depth() == 8 && img.numColors() <= 16 )
   {
- -    writeImage4( s );
+    writeImage4( img, s, header );
   }
   else if ( img.depth() == 8 )
   {
- -    writeImage8( s );
+    writeImage8( img, s, header );
   }
   else if ( img.depth() == 32 )
   {
- -    writeImage24( s );
+    writeImage24( img, s, header );
   }
 
   io->setStatus( 0 );
Index: pcx.h
===================================================================
RCS file: /home/kde/kdelibs/kimgio/pcx.h,v
retrieving revision 1.4
retrieving revision 1.4.8.1
diff -u -3 -d -p -r1.4 -r1.4.8.1
- --- pcx.h	4 Jan 2003 00:48:25 -0000	1.4
+++ pcx.h	19 Apr 2005 10:48:00 -0000	1.4.8.1
@@ -49,7 +49,7 @@ class Palette
       rgb[ i ] = RGB( color );
     }
 
- -    QRgb color( int i )
+    QRgb color( int i ) const
     {
       return qRgb( rgb[ i ].r, rgb[ i ].g, rgb[ i ].b );
     }
@@ -60,12 +60,11 @@ class Palette
 class PCXHEADER
 {
   public:
- -    PCXHEADER()
- -    {
- -      reset();
- -    }
+    PCXHEADER();
 
- -    void reset();
+    inline int width() const { return ( XMax-XMin ) + 1; }
+    inline int height() const { return ( YMax-YMin ) + 1; }
+    inline bool isCompressed() const { return ( Encoding==1 ); }
 
     Q_UINT8  Manufacturer;    // Constant Flag, 10 = ZSoft .pcx
     Q_UINT8  Version;         // Version information�
@@ -99,7 +98,7 @@ class PCXHEADER
                               // found only in PB IV/IV Plus
     Q_UINT16 VScreenSize;     // Vertical screen size in pixels. New field
                               // found only in PB IV/IV Plus
- -};
+} KDE_PACKED;
 
 #endif // PCX_H
 
diff -u -3 -d -p -r1.1 -r1.1.2.1
- --- psd.cpp	16 Dec 2004 09:59:07 -0000	1.1
+++ psd.cpp	19 Apr 2005 10:48:00 -0000	1.1.2.1
@@ -66,6 +66,19 @@ namespace {	// Private.
 		s >> header.color_mode;
 		return s;
 	}
+        static bool seekBy(QDataStream& s, unsigned int bytes)
+        {
+                char buf[4096];
+                while (bytes) {
+                        unsigned int num= QMIN(bytes,sizeof(buf));
+                        unsigned int l = num;
+                        s.readRawBytes(buf, l);
+                        if(l != num)
+                          return false;
+                        bytes -= num;
+                }
+                return true;
+        }
 
 	// Check that the header is a valid PSD.
 	static bool IsValid( const PSDHeader & header )
@@ -149,10 +162,8 @@ namespace {	// Private.
 		if( compression ) {
 		
 			// Skip row lengths.
- -			ushort w;
- -			for(uint i = 0; i < header.height * header.channel_count; i++) {
- -	  			s >> w;
- -			}	
+                        if(!seekBy(s, header.height*header.channel_count*sizeof(ushort)))
+                                return false;
 
 			// Read RLE data.						
 			for(uint channel = 0; channel < channel_num; channel++) {
@@ -162,6 +173,8 @@ namespace {	// Private.
 				uint count = 0;
 				while( count < pixel_count ) {
 					uchar c;
+                                        if(s.atEnd())
+                                                return false;
 					s >> c;
 					uint len = c;
 					
@@ -169,6 +182,9 @@ namespace {	// Private.
 						// Copy next len+1 bytes literally.
 						len++;
 						count += len;
+                                                if ( count > pixel_count )
+                                                        return false;
+
 						while( len != 0 ) {
 							s >> *ptr;
 							ptr += 4;
@@ -181,6 +197,8 @@ namespace {	// Private.
 						len ^= 0xFF;
 						len += 2;
 						count += len;
+                                                if(s.atEnd() || count > pixel_count)
+                                                        return false;
 						uchar val;
 						s >> val;
 						while( len != 0 ) {
diff -u -3 -d -p -r1.31 -r1.31.2.1
- --- rgb.cpp	10 Jan 2005 19:54:19 -0000	1.31
+++ rgb.cpp	19 Apr 2005 10:48:00 -0000	1.31.2.1
@@ -87,7 +87,9 @@ bool SGIImage::getRow(uchar *dest)
 	int n, i;
 	if (!m_rle) {
 		for (i = 0; i < m_xsize; i++) {
- -			*dest++ = uchar(*m_pos);
+			if(m_pos >= m_data.end())
+				return false;
+			dest[i] = uchar(*m_pos);
 			m_pos += m_bpc;
 		}
 		return true;
@@ -120,7 +122,7 @@ bool SGIImage::readData(QImage& img)
 {
 	QRgb *c;
 	Q_UINT32 *start = m_starttab;
- -	QCString lguard(m_xsize);
+	QByteArray lguard(m_xsize);
 	uchar *line = (uchar *)lguard.data();
 	unsigned x, y;
 
@@ -128,7 +130,7 @@ bool SGIImage::readData(QImage& img)
 		m_pos = m_data.begin();
 
 	for (y = 0; y < m_ysize; y++) {
- -		c = reinterpret_cast<QRgb *>(img.scanLine(m_ysize - y - 1));
+		c = (QRgb *) img.scanLine(m_ysize - y - 1);
 		if (m_rle)
 			m_pos = m_data.begin() + *start++;
 		if (!getRow(line))
@@ -166,11 +168,11 @@ bool SGIImage::readData(QImage& img)
 	}
 
 	for (y = 0; y < m_ysize; y++) {
- -		c = reinterpret_cast<QRgb *>(img.scanLine(m_ysize - y - 1));
 		if (m_rle)
 			m_pos = m_data.begin() + *start++;
 		if (!getRow(line))
 			return false;
+		c = (QRgb*) img.scanLine(m_ysize - y - 1);
 		for (x = 0; x < m_xsize; x++, c++)
 			*c = qRgba(qRed(*c), qGreen(*c), qBlue(*c), line[x]);
 	}
diff -u -3 -d -p -r1.14 -r1.14.2.1
- --- tiffr.cpp	22 Nov 2004 03:52:18 -0000	1.14
+++ tiffr.cpp	19 Apr 2005 10:48:00 -0000	1.14.2.1
@@ -84,6 +84,10 @@ KDE_EXPORT void kimgio_tiff_read( QImage
             return;
 
 	QImage image( width, height, 32 );
+	if( image.isNull()) {
+		TIFFClose( tiff );
+		return;
+	}
 	data = (uint32 *)image.bits();
 
 	//Sven: changed to %ld for 64bit machines
diff -u -3 -d -p -r1.3 -r1.3.2.1
- --- xcf.cpp	22 Nov 2004 03:48:27 -0000	1.3
+++ xcf.cpp	19 Apr 2005 10:48:00 -0000	1.3.2.1
@@ -234,10 +234,10 @@ bool XCFImageFormat::loadImageProperties
 					property.readBytes(tag, size);
 
 					Q_UINT32 flags;
- -					char* data;
+					char* data=0;
 					property >> flags >> data;
 
- -					if (strcmp(tag, "gimp-comment") == 0)
+					if (tag && strncmp(tag, "gimp-comment", strlen("gimp-comment")) == 0)
 						xcf_image.image.setText("Comment", 0, data);
 
 					delete[] tag;
@@ -257,6 +257,9 @@ bool XCFImageFormat::loadImageProperties
 
 				case PROP_COLORMAP:
 					property >> xcf_image.num_colors;
+                                        if(xcf_image.num_colors < 0 || xcf_image.num_colors > 65535)
+                                            return false;
+
 					xcf_image.palette.reserve(xcf_image.num_colors);
 
 					for (int i = 0; i < xcf_image.num_colors; i++) {
@@ -307,6 +310,9 @@ bool XCFImageFormat::loadProperty(QDataS
 			return false;
 		}
 
+                if(size > 65535 || size < 4)
+                    return false;
+
 		size = 3 * (size - 4) + 4;
 		data = new char[size];
 
@@ -336,19 +342,21 @@ bool XCFImageFormat::loadProperty(QDataS
 		}
 
 		size = 0;
- -	} else
- -		xcf_io.readBytes(data, size);
+	} else {
+                xcf_io >> size;
+                if(size >256000)
+                    return false;
+                data = new char[size];
+		xcf_io.readRawBytes(data, size);
+        }
 
 	if (xcf_io.device()->status() != IO_Ok) {
 		kdDebug(399) << "XCF: read failure on property " << type << " data, size " << size << endl;
 		return false;
 	}
 
- -	if (size != 0) {
- -		bytes.resize(size);
- -		for (uint i = 0; i < size; i++)
- -			bytes[i] = data[i];
- -		delete[] data;
+	if (size != 0 && data) {
+                bytes.assign(data,size);
 	}
 
 	return true;
@@ -401,7 +409,8 @@ bool XCFImageFormat::loadLayer(QDataStre
 	// Allocate the individual tile QImages based on the size and type
 	// of this layer.
 
- -	composeTiles(xcf_image);
+	if( !composeTiles(xcf_image))
+		return false;
 	xcf_io.device()->at(layer.hierarchy_offset);
 
 	// As tiles are loaded, they are copied into the layers tiles by
@@ -425,7 +434,8 @@ bool XCFImageFormat::loadLayer(QDataStre
 	// of the QImage.
 
 	if (!xcf_image.initialized) {
- -		initializeImage(xcf_image);
+		if( !initializeImage(xcf_image))
+			return false;
 		copyLayerToImage(xcf_image);
 		xcf_image.initialized = true;
 	} else
@@ -516,7 +526,7 @@ bool XCFImageFormat::loadLayerProperties
  * QImage structures for each of them.
  * \param xcf_image contains the current layer.
  */
- -void XCFImageFormat::composeTiles(XCFImage& xcf_image)
+bool XCFImageFormat::composeTiles(XCFImage& xcf_image)
 {
 	Layer& layer(xcf_image.layer);
 
@@ -556,48 +566,67 @@ void XCFImageFormat::composeTiles(XCFIma
 			switch (layer.type) {
 				case RGB_GIMAGE:
 					layer.image_tiles[j][i] = QImage(tile_width, tile_height, 32, 0);
+					if( layer.image_tiles[j][i].isNull())
+						return false;
 					layer.image_tiles[j][i].setAlphaBuffer(false);
 					break;
 
 				case RGBA_GIMAGE:
 					layer.image_tiles[j][i] = QImage(tile_width, tile_height, 32, 0);
+					if( layer.image_tiles[j][i].isNull())
+						return false;
 					layer.image_tiles[j][i].setAlphaBuffer(true);
 					break;
 
 				case GRAY_GIMAGE:
 					layer.image_tiles[j][i] = QImage(tile_width, tile_height, 8, 256);
+					if( layer.image_tiles[j][i].isNull())
+						return false;
 					setGrayPalette(layer.image_tiles[j][i]);
 					break;
 
 				case GRAYA_GIMAGE:
 					layer.image_tiles[j][i] = QImage(tile_width, tile_height, 8, 256);
+					if( layer.image_tiles[j][i].isNull())
+						return false;
 					setGrayPalette(layer.image_tiles[j][i]);
 
 					layer.alpha_tiles[j][i] = QImage( tile_width, tile_height, 8, 256);
+					if( layer.alpha_tiles[j][i].isNull())
+						return false;
 					setGrayPalette(layer.alpha_tiles[j][i]);
 					break;
 
 				case INDEXED_GIMAGE:
 					layer.image_tiles[j][i] = QImage(tile_width, tile_height, 8,
 							xcf_image.num_colors);
+					if( layer.image_tiles[j][i].isNull())
+						return false;
 					setPalette(xcf_image, layer.image_tiles[j][i]);
 					break;
 
 				case INDEXEDA_GIMAGE:
 					layer.image_tiles[j][i] = QImage(tile_width, tile_height,8,
 							xcf_image.num_colors);
+					if( layer.image_tiles[j][i].isNull())
+						return false;
 					setPalette(xcf_image, layer.image_tiles[j][i]);
 
 					layer.alpha_tiles[j][i] = QImage(tile_width, tile_height, 8, 256);
+					if( layer.alpha_tiles[j][i].isNull())
+						return false;
 					setGrayPalette(layer.alpha_tiles[j][i]);
 			}
 
 			if (layer.mask_offset != 0) {
 				layer.mask_tiles[j][i] = QImage(tile_width, tile_height, 8, 256);
+				if( layer.mask_tiles[j][i].isNull())
+					return false;
 				setGrayPalette(layer.mask_tiles[j][i]);
 			}
 		}
 	}
+	return true;
 }
 
 
@@ -1072,7 +1101,7 @@ void XCFImageFormat::assignMaskBytes(Lay
  * For indexed images, translucency is an all or nothing effect.
  * \param xcf_image contains image info and bottom-most layer.
  */
- -void XCFImageFormat::initializeImage(XCFImage& xcf_image)
+bool XCFImageFormat::initializeImage(XCFImage& xcf_image)
 {
 	// (Aliases to make the code look a little better.)
 	Layer& layer(xcf_image.layer);
@@ -1082,12 +1111,16 @@ void XCFImageFormat::initializeImage(XCF
 		case RGB_GIMAGE:
 			if (layer.opacity == OPAQUE_OPACITY) {
 				image.create( xcf_image.width, xcf_image.height, 32);
+				if( image.isNull())
+					return false;
 				image.fill(qRgb(255, 255, 255));
 				break;
 			} // else, fall through to 32-bit representation
 
 		case RGBA_GIMAGE:
 			image.create(xcf_image.width, xcf_image.height, 32);
+			if( image.isNull())
+				return false;
 			image.fill(qRgba(255, 255, 255, 0));
 			// Turning this on prevents fill() from affecting the alpha channel,
 			// by the way.
@@ -1097,6 +1130,8 @@ void XCFImageFormat::initializeImage(XCF
 		case GRAY_GIMAGE:
 			if (layer.opacity == OPAQUE_OPACITY) {
 				image.create(xcf_image.width, xcf_image.height, 8, 256);
+				if( image.isNull())
+					return false;
 				setGrayPalette(image);
 				image.fill(255);
 				break;
@@ -1104,6 +1139,8 @@ void XCFImageFormat::initializeImage(XCF
 
 		case GRAYA_GIMAGE:
 			image.create(xcf_image.width, xcf_image.height, 32);
+			if( image.isNull())
+				return false;
 			image.fill(qRgba(255, 255, 255, 0));
 			image.setAlphaBuffer(true);
 			break;
@@ -1125,12 +1162,16 @@ void XCFImageFormat::initializeImage(XCF
 				image.create(xcf_image.width, xcf_image.height,
 						1, xcf_image.num_colors,
 						QImage::LittleEndian);
+				if( image.isNull())
+					return false;
 				image.fill(0);
 				setPalette(xcf_image, image);
 			} else if (xcf_image.num_colors <= 256) {
 				image.create(xcf_image.width, xcf_image.height,
 				8, xcf_image.num_colors,
 				QImage::LittleEndian);
+				if( image.isNull())
+					return false;
 				image.fill(0);
 				setPalette(xcf_image, image);
 			}
@@ -1147,6 +1188,8 @@ void XCFImageFormat::initializeImage(XCF
 				image.create(xcf_image.width, xcf_image.height,
 						1, xcf_image.num_colors,
 						QImage::LittleEndian);
+				if( image.isNull())
+					return false;
 				image.fill(0);
 				setPalette(xcf_image, image);
 				image.setAlphaBuffer(true);
@@ -1160,6 +1203,8 @@ void XCFImageFormat::initializeImage(XCF
 				xcf_image.palette[0] = qRgba(255, 255, 255, 0);
 				image.create( xcf_image.width, xcf_image.height,
 						8, xcf_image.num_colors);
+				if( image.isNull())
+					return false;
 				image.fill(0);
 				setPalette(xcf_image, image);
 				image.setAlphaBuffer(true);
@@ -1168,6 +1213,8 @@ void XCFImageFormat::initializeImage(XCF
 				// true color. (There is no equivalent PNG representation output
 				// from The GIMP as of v1.2.)
 				image.create(xcf_image.width, xcf_image.height, 32);
+				if( image.isNull())
+					return false;
 				image.fill(qRgba(255, 255, 255, 0));
 				image.setAlphaBuffer(true);
 			}
@@ -1176,6 +1223,7 @@ void XCFImageFormat::initializeImage(XCF
 
 	image.setDotsPerMeterX((int)(xcf_image.x_resolution * INCHESPERMETER));
 	image.setDotsPerMeterY((int)(xcf_image.y_resolution * INCHESPERMETER));
+	return true;
 }
 
 
Index: xcf.h
===================================================================
RCS file: /home/kde/kdelibs/kimgio/xcf.h,v
retrieving revision 1.1
retrieving revision 1.1.2.1
diff -u -3 -d -p -r1.1 -r1.1.2.1
- --- xcf.h	13 Aug 2004 18:31:44 -0000	1.1
+++ xcf.h	19 Apr 2005 10:48:00 -0000	1.1.2.1
@@ -176,7 +176,7 @@ private:
 	bool loadProperty(QDataStream& xcf_io, PropType& type, QByteArray& bytes);
 	bool loadLayer(QDataStream& xcf_io, XCFImage& xcf_image);
 	bool loadLayerProperties(QDataStream& xcf_io, Layer& layer);
- -	void composeTiles(XCFImage& xcf_image);
+	bool composeTiles(XCFImage& xcf_image);
 	void setGrayPalette(QImage& image);
 	void setPalette(XCFImage& xcf_image, QImage& image);
 	static void assignImageBytes(Layer& layer, uint i, uint j);
@@ -185,7 +185,7 @@ private:
 	static void assignMaskBytes(Layer& layer, uint i, uint j);
 	bool loadMask(QDataStream& xcf_io, Layer& layer);
 	bool loadChannelProperties(QDataStream& xcf_io, Layer& layer);
- -	void initializeImage(XCFImage& xcf_image);
+	bool initializeImage(XCFImage& xcf_image);
 	bool loadTileRLE(QDataStream& xcf_io, uchar* tile, int size,
 			int data_length, Q_INT32 bpp);
 	static void copyLayerToImage(XCFImage& xcf_image);
diff -u -3 -d -p -r1.12 -r1.12.2.1
- --- xview.cpp	22 Nov 2004 03:52:18 -0000	1.12
+++ xview.cpp	19 Apr 2005 10:48:00 -0000	1.12.2.1
@@ -7,6 +7,7 @@
 
 #include <stdio.h>
 #include <string.h>
+#include <stdlib.h>
 #include <qimage.h>
 
 #include <kdelibs_export.h>
@@ -15,6 +16,9 @@
 
 #define BUFSIZE 1024
 
+static const int b_255_3[]= {0,85,170,255},  // index*255/3
+           rg_255_7[]={0,36,72,109,145,182,218,255}; // index *255/7
+
 KDE_EXPORT void kimgio_xv_read( QImageIO *_imageio )
 {      
 	int x=-1;
@@ -50,10 +54,14 @@ KDE_EXPORT void kimgio_xv_read( QImageIO
 	sscanf(str, "%d %d %d", &x, &y, &maxval);
 
 	if (maxval != 255) return;
+	int blocksize = x*y;
+        if(x < 0 || y < 0 || blocksize < x || blocksize < y)
+            return;
 
 	// now follows a binary block of x*y bytes. 
- -	int blocksize = x*y;
- -	char *block = new char[ blocksize ];
+	char *block = (char*) malloc(blocksize);
+        if(!block)
+            return;
 
 	if (iodev->readBlock(block, blocksize) != blocksize ) 
 	{
@@ -62,6 +70,10 @@ KDE_EXPORT void kimgio_xv_read( QImageIO
 
 	// Create the image
 	QImage image( x, y, 8, maxval + 1, QImage::BigEndian );
+	if( image.isNull()) {
+                free(block);
+		return;
+        }
 
 	// how do the color handling? they are absolute 24bpp
 	// or at least can be calculated as such.
@@ -69,29 +81,9 @@ KDE_EXPORT void kimgio_xv_read( QImageIO
 
 	for ( int j = 0; j < 256; j++ )
 	{
- -// ----------- OLIVER EIDEN
- -// 	That is the old-code !
- -/*		r =  ((int) ((j >> 5) & 0x07)) << 5;
- -		g =  ((int) ((j >> 2) & 0x07)) << 5;
- -		b =  ((int) ((j >> 0) & 0x03)) << 6;*/
- -
- -
- -// 	That is the code-how xv, decode 3-3-2 pixmaps, it is slighly different,
- -//	but yields much better visuals results
- -/*		r =  (((int) ((j >> 5) & 0x07)) *255) / 7;
- -		g =  (((int) ((j >> 2) & 0x07)) *255) / 7;
- -		b =  (((int) ((j >> 0) & 0x03)) *255) / 3;*/
- -
- -//	This is the same as xv, with multiplications/divisions replaced by indexing
- -
- -//      Look-up table to avoid multiplications and divisons
- -	static int b_255_3[]= {0,85,170,255},  // index*255/3
- -		   rg_255_7[]={0,36,72,109,145,182,218,255}; // index *255/7
- -
 		r =  rg_255_7[((j >> 5) & 0x07)];
 		g =  rg_255_7[((j >> 2) & 0x07)];
 		b =  b_255_3[((j >> 0) & 0x03)];
- -// ---------------
 		image.setColor( j, qRgb( r, g, b ) );
 	}
 
@@ -104,7 +96,7 @@ KDE_EXPORT void kimgio_xv_read( QImageIO
 	_imageio->setImage( image );
 	_imageio->setStatus( 0 );
 
- -	delete [] block;
+	free(block);
 	return;
 }
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCerlZvsXr+iuy1UoRAn5EAKDl5XFVr16q/oofYflCxOiP8Mv7CwCg8nxl
QzwF7A8Bf8k2vpRguN7zhvY=
=qbXB
-----END PGP SIGNATURE-----