blob: cad9aa4b682c76939acd836ae1d83f96e8ce7d4e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
From 1616c71921b73b227f56ccb3f2c49a994ec23440 Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Thu, 23 Jul 2020 11:48:48 +0200
Subject: Fix buffer overflow in XBM parser
Avoid parsing over the buffer limit, or interpreting non-hex
as hex.
This still leaves parsing of lines longer than 300 chars
unreliable
Change-Id: I1c57a7e530c4380f6f9040b2ec729ccd7dc7a5fb
Reviewed-by: Robert Loehning <robert.loehning@qt.io>
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
(cherry picked from commit c562c1fc19629fb505acd0f6380604840b634211)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
src/gui/image/qxbmhandler.cpp | 4 ++-
.../gui/image/qimagereader/tst_qimagereader.cpp | 38 ++++++++++++++++++++++
2 files changed, 41 insertions(+), 1 deletion(-)
diff --git a/src/gui/image/qxbmhandler.cpp b/src/gui/image/qxbmhandler.cpp
index f06561690c..72ce7f7ecd 100644
--- a/src/gui/image/qxbmhandler.cpp
+++ b/src/gui/image/qxbmhandler.cpp
@@ -159,7 +159,9 @@ static bool read_xbm_body(QIODevice *device, int w, int h, QImage *outImage)
w = (w+7)/8; // byte width
while (y < h) { // for all encoded bytes...
- if (p) { // p = "0x.."
+ if (p && p < (buf + readBytes - 3)) { // p = "0x.."
+ if (!isxdigit(p[2]) || !isxdigit(p[3]))
+ return false;
*b++ = hex2byte(p+2);
p += 2;
if (++x == w && ++y < h) {
--
cgit v1.2.1
|
