1berry/qtbase
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix 32bit integer overflow in ICC parsing

Browse Source 
Change-Id: I98c413374374a6143733860aa9bab1a957cd3b2d
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Marc Mutz <marc.mutz@kdab.com>
This commit is contained in:
Allan Sandfeld Jensen 2020-05-01 10:35:02 +02:00
parent 821e71fded
commit 6ebef2eb9a
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/gui/painting/qicc.cpp
View File

@ -225,7 +225,7 @@ static bool isValidIccProfile(const ICCProfileHeader &header)
} }
// Don't overflow 32bit integers: // Don't overflow 32bit integers:
if (header.tagCount >= INT32_MAX / sizeof(TagTableEntry)) { if (header.tagCount >= (INT32_MAX - sizeof(ICCProfileHeader)) / sizeof(TagTableEntry)) {
qCWarning(lcIcc, "Failed tag count sanity"); qCWarning(lcIcc, "Failed tag count sanity");
return false; return false;
} }
@ -629,6 +629,7 @@ bool fromIccProfile(const QByteArray &data, QColorSpace *colorSpace)
// Read tag index // Read tag index
const TagTableEntry *tagTable = (const TagTableEntry *)(data.constData() + sizeof(ICCProfileHeader)); const TagTableEntry *tagTable = (const TagTableEntry *)(data.constData() + sizeof(ICCProfileHeader));
const qsizetype offsetToData = sizeof(ICCProfileHeader) + header->tagCount * sizeof(TagTableEntry); const qsizetype offsetToData = sizeof(ICCProfileHeader) + header->tagCount * sizeof(TagTableEntry);
Q_ASSERT(offsetToData > 0);
if (offsetToData > data.size()) { if (offsetToData > data.size()) {
qCWarning(lcIcc) << "fromIccProfile: failed index size sanity"; qCWarning(lcIcc) << "fromIccProfile: failed index size sanity";
return false; return false;