From b2fe6b1c05ff8abab646636c64a1d4bd58b4665a Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Mon, 27 Jun 2022 10:51:58 +0200
Subject: [PATCH] Avoid reading outside allocated buffer

Bound the inverse lookup result on the low end as well.

Fixes: QTBUG-104583
Change-Id: Id357fe1c39c88776075d737b08fc2864a2b6e829
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
(cherry picked from commit a2501fff818971a375a927038792140aed6ef4b6)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/gui/painting/qcolortransfertable_p.h | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/gui/painting/qcolortransfertable_p.h b/src/gui/painting/qcolortransfertable_p.h
index ac1f843912a..4563acf1fa8 100644
--- a/src/gui/painting/qcolortransfertable_p.h
+++ b/src/gui/painting/qcolortransfertable_p.h
@@ -105,6 +105,8 @@ public:
             uint32_t i = static_cast<uint32_t>(std::floor(resultLargerThan * (m_tableSize - 1)));
             auto it = std::lower_bound(m_table16.cbegin() + i, m_table16.cend(), v);
             i = it - m_table16.cbegin();
+            if (i == 0)
+                return 0.0f;
             if (i >= m_tableSize - 1)
                 return 1.0f;
             const float y1 = m_table16[i - 1];
@@ -119,6 +121,8 @@ public:
             uint32_t i = static_cast<uint32_t>(std::floor(resultLargerThan * (m_tableSize - 1)));
             auto it = std::lower_bound(m_table8.cbegin() + i, m_table8.cend(), v);
             i = it - m_table8.cbegin();
+            if (i == 0)
+                return 0.0f;
             if (i >= m_tableSize - 1)
                 return 1.0f;
             const float y1 = m_table8[i - 1];