gif image handler: check for out of range image size

Make the decoder fail early to avoid spending time and memory on
attempting to decode a corrupt image file.

Change-Id: Ic556d4fbcb6b542fc110d10e48dac1a880e60697
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
(cherry picked from commit 2b7b75f721b6786a6dc35e2f9b693bb2e2dfac01)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>

src/plugins/imageformats/gif/qgifhandler.cpp

@@ -78,6 +78,10 @@ public:
 private:
     void fillRect(QImage *image, int x, int y, int w, int h, QRgb col);
     inline QRgb color(uchar index) const;
+    static bool withinSizeLimit(int width, int height)
+    {
+        return quint64(width) * height < 16384 * 16384; // Reject unreasonable header values
+    }
 
     // GIF specific stuff
     QRgb* globalcmap;
@@ -351,6 +355,10 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length,
 
                 QImage::Format format = trans_index >= 0 ? QImage::Format_ARGB32 : QImage::Format_RGB32;
                 if (image->isNull()) {
+                    if (!withinSizeLimit(swidth, sheight)) {
+                        state = Error;
+                        return -1;
+                    }
                     (*image) = QImage(swidth, sheight, format);
                     bpl = image->bytesPerLine();
                     bits = image->bits();
@@ -412,6 +420,11 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length,
 
                     if (backingstore.width() < w
                         || backingstore.height() < h) {
+
+                        if (!withinSizeLimit(w, h)) {
+                            state = Error;
+                            return -1;
+                        }
                         // We just use the backing store as a byte array
                         backingstore = QImage(qMax(backingstore.width(), w),
                                               qMax(backingstore.height(), h),