summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSlávek Banko <slavek.banko@axis.cz>2019-11-01 01:59:59 +0100
committerSlávek Banko <slavek.banko@axis.cz>2019-12-18 17:54:37 +0100
commitb08a6d71ba872e67b75a822fcd44670126975818 (patch)
tree20c1bb3ecde14b0789b1a864e15cf7664df43fc7
parent40078adb6a8c30c177858e3eb21b074c5b49521a (diff)
downloadqt3-b08a6d71ba872e67b75a822fcd44670126975818.tar.gz
qt3-b08a6d71ba872e67b75a822fcd44670126975818.zip
Fix crash in tqimage for certain malformed ppm image files
The ppm format specifies that the maximum color value field must be less than 65536. The handler did not enforce this, leading to potentional overflow when the value was used in 16 bits context. Based on Qt5 patch for CVE-2018-19872. Signed-off-by: Slávek Banko <slavek.banko@axis.cz>
-rw-r--r--src/kernel/qimage.cpp2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/kernel/qimage.cpp b/src/kernel/qimage.cpp
index 8dd71be..4bb9947 100644
--- a/src/kernel/qimage.cpp
+++ b/src/kernel/qimage.cpp
@@ -5196,7 +5196,7 @@ static void read_pbm_image( QImageIO *iio ) // read PBM image data
mcc = 1; // ignore max color component
else
mcc = read_pbm_int( d ); // get max color component
- if ( w <= 0 || w > 32767 || h <= 0 || h > 32767 || mcc <= 0 )
+ if ( w <= 0 || w > 32767 || h <= 0 || h > 32767 || mcc <= 0 || mcc > 0xffff )
return; // weird P.M image
int maxc = mcc;