diff options
author | Slávek Banko <slavek.banko@axis.cz> | 2019-11-01 01:59:59 +0100 |
---|---|---|
committer | Slávek Banko <slavek.banko@axis.cz> | 2019-12-16 02:41:05 +0100 |
commit | 4470facd61b6d9fd862f70ce56f22ab502415d23 (patch) | |
tree | 97eeb245bba2daf95c58eb8352d09b77f80be627 | |
parent | da15dfe6d7ec8cd62964b99e56200a8adc7c8bf5 (diff) | |
download | tqt3-4470facd61b6d9fd862f70ce56f22ab502415d23.tar.gz tqt3-4470facd61b6d9fd862f70ce56f22ab502415d23.zip |
Fix crash in tqimage for certain malformed ppm image files
The ppm format specifies that the maximum color value field must be
less than 65536. The handler did not enforce this, leading to
potentional overflow when the value was used in 16 bits context.
Based on Qt5 patch for CVE-2018-19872.
Signed-off-by: Slávek Banko <slavek.banko@axis.cz>
-rw-r--r-- | src/kernel/qimage.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/kernel/qimage.cpp b/src/kernel/qimage.cpp index 769eba201..692f982ad 100644 --- a/src/kernel/qimage.cpp +++ b/src/kernel/qimage.cpp @@ -5196,7 +5196,7 @@ static void read_pbm_image( TQImageIO *iio ) // read PBM image data mcc = 1; // ignore max color component else mcc = read_pbm_int( d ); // get max color component - if ( w <= 0 || w > 32767 || h <= 0 || h > 32767 || mcc <= 0 ) + if ( w <= 0 || w > 32767 || h <= 0 || h > 32767 || mcc <= 0 || mcc > 0xffff ) return; // weird P.M image int maxc = mcc; |