2020-09-20 16:40:46 +08:00
|
|
|
From 1a27a6cefbb457f2fb74159267835aaefb7c992d Mon Sep 17 00:00:00 2001
|
2020-09-20 17:49:29 +08:00
|
|
|
From: Dmitry Shachnev <mitya57@debian.org>
|
|
|
|
|
Date: Tue, 18 Aug 2020 16:16:57 +0300
|
|
|
|
|
Subject: [PATCH] Backport upstream patch to fix buffer overflow in XBMparser.
|
2020-09-20 16:40:46 +08:00
|
|
|
|
2020-09-20 17:49:29 +08:00
|
|
|
Closes: #968444, CVE-2020-17507.
|
2020-09-20 16:40:46 +08:00
|
|
|
---
|
|
|
|
|
src/gui/image/qxbmhandler.cpp | 4 +++-
|
|
|
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
|
|
|
|
|
|
diff --git a/src/gui/image/qxbmhandler.cpp b/src/gui/image/qxbmhandler.cpp
|
|
|
|
|
index 414e8233..7483b245 100644
|
|
|
|
|
--- a/src/gui/image/qxbmhandler.cpp
|
|
|
|
|
+++ b/src/gui/image/qxbmhandler.cpp
|
|
|
|
|
@@ -154,7 +154,9 @@ static bool read_xbm_body(QIODevice *device, int w, int h, QImage *outImage)
|
|
|
|
|
w = (w+7)/8; // byte width
|
|
|
|
|
|
|
|
|
|
while (y < h) { // for all encoded bytes...
|
|
|
|
|
- if (p) { // p = "0x.."
|
|
|
|
|
+ if (p && p < (buf + readBytes - 3)) { // p = "0x.."
|
|
|
|
|
+ if (!isxdigit(p[2]) || !isxdigit(p[3]))
|
|
|
|
|
+ return false;
|
|
|
|
|
*b++ = hex2byte(p+2);
|
|
|
|
|
p += 2;
|
|
|
|
|
if (++x == w && ++y < h) {
|
|
|
|
|
--
|
|
|
|
|
2.23.0
|
|
|
|
|
|
