Fix stack corruption and bus errors while scanning oversized QR codes

lib/decode.c

@@ -409,7 +409,6 @@ struct datastream {
 static inline int grid_bit(const struct quirc_code *code, int x, int y)
 {
 	int p = y * code->size + x;
-
 	return (code->cell_bitmap[p >> 3] >> (p & 7)) & 1;
 }
 

lib/identify.c

@@ -656,8 +656,11 @@ static int measure_timing_pattern(struct quirc *q, int index)
 	/* Choose the nearest allowable grid size */
 	size = scan * 2 + 13;
 	ver = (size - 15) / 4;
-	qr->grid_size = ver * 4 + 17;
+	if (ver > QUIRC_MAX_VERSION) {
+		return -1;
+	}
 
+	qr->grid_size = ver * 4 + 17;
 	return 0;
 }
 
@@ -1135,11 +1138,10 @@ void quirc_extract(const struct quirc *q, int index,
 
 	for (y = 0; y < qr->grid_size; y++) {
 		int x;
-
 		for (x = 0; x < qr->grid_size; x++) {
-			if (read_cell(q, index, x, y) > 0)
-				code->cell_bitmap[i >> 3] |= (1 << (i & 7));
-
+			if (read_cell(q, index, x, y) > 0) {
+		                code->cell_bitmap[i >> 3] |= (1 << (i & 7));
+			}
 			i++;
 		}
 	}

lib/quirc.h

@@ -78,7 +78,9 @@ typedef enum {
 const char *quirc_strerror(quirc_decode_error_t err);
 
 /* Limits on the maximum size of QR-codes and their content. */
-#define QUIRC_MAX_BITMAP	3917
+#define QUIRC_MAX_VERSION	40
+#define QUIRC_MAX_GRID_SIZE	(QUIRC_MAX_VERSION * 4 + 17)
+#define QUIRC_MAX_BITMAP	(((QUIRC_MAX_GRID_SIZE * QUIRC_MAX_GRID_SIZE) + 7) / 8)
 #define QUIRC_MAX_PAYLOAD	8896
 
 /* QR-code ECC types. */

lib/quirc_internal.h

@@ -28,7 +28,6 @@
 #endif
 #define QUIRC_MAX_CAPSTONES	32
 #define QUIRC_MAX_GRIDS		8
-
 #define QUIRC_PERSPECTIVE_PARAMS	8
 
 #if QUIRC_MAX_REGIONS < UINT8_MAX