1berry/qtbase
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Protect against sign-change of size on 32bit

Browse Source 
Since qsizetype is signed and the profileSize unsigned, it can turn
negative circumventing the test here.

Fixes oss-fuzz issue 29278.

Change-Id: I1e211c78db6f4ff150613f52d8fc29807f0088ff
Reviewed-by: Robert Löhning <robert.loehning@qt.io>
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
(cherry picked from commit 05741b404ad5a8f9a490191a347e67c61456a89c)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
This commit is contained in:
Allan Sandfeld Jensen 2021-01-26 12:07:53 +01:00 committed by Qt Cherry-pick Bot
parent 54980200c7
commit f16f194a62
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/gui/painting/qicc.cpp
View File

@ -646,7 +646,7 @@ bool fromIccProfile(const QByteArray &data, QColorSpace *colorSpace)
const ICCProfileHeader header = qFromUnaligned<ICCProfileHeader>(data.constData()); const ICCProfileHeader header = qFromUnaligned<ICCProfileHeader>(data.constData());
if (!isValidIccProfile(header)) if (!isValidIccProfile(header))
return false; // if failed we already printing a warning return false; // if failed we already printing a warning
if (qsizetype(header.profileSize) > data.size()) { if (qsizetype(header.profileSize) > data.size() || qsizetype(header.profileSize) < qsizetype(sizeof(ICCProfileHeader))) {
qCWarning(lcIcc) << "fromIccProfile: failed size sanity 2"; qCWarning(lcIcc) << "fromIccProfile: failed size sanity 2";
return false; return false;
} }