summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSlávek Banko <slavek.banko@axis.cz>2019-11-01 01:59:59 +0100
committerSlávek Banko <slavek.banko@axis.cz>2019-12-16 02:41:05 +0100
commit4470facd61b6d9fd862f70ce56f22ab502415d23 (patch)
tree97eeb245bba2daf95c58eb8352d09b77f80be627
parentda15dfe6d7ec8cd62964b99e56200a8adc7c8bf5 (diff)
downloadtqt3-4470facd61b6d9fd862f70ce56f22ab502415d23.tar.gz
tqt3-4470facd61b6d9fd862f70ce56f22ab502415d23.zip
Fix crash in tqimage for certain malformed ppm image files
The ppm format specifies that the maximum color value field must be less than 65536. The handler did not enforce this, leading to potentional overflow when the value was used in 16 bits context. Based on Qt5 patch for CVE-2018-19872. Signed-off-by: Slávek Banko <slavek.banko@axis.cz>
-rw-r--r--src/kernel/qimage.cpp2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/kernel/qimage.cpp b/src/kernel/qimage.cpp
index 769eba201..692f982ad 100644
--- a/src/kernel/qimage.cpp
+++ b/src/kernel/qimage.cpp
@@ -5196,7 +5196,7 @@ static void read_pbm_image( TQImageIO *iio ) // read PBM image data
mcc = 1; // ignore max color component
else
mcc = read_pbm_int( d ); // get max color component
- if ( w <= 0 || w > 32767 || h <= 0 || h > 32767 || mcc <= 0 )
+ if ( w <= 0 || w > 32767 || h <= 0 || h > 32767 || mcc <= 0 || mcc > 0xffff )
return; // weird P.M image
int maxc = mcc;