36 lines
1.4 KiB
Diff
36 lines
1.4 KiB
Diff
|
From b7321368924c4dbed81aa008d76ebfb1dffd7e60 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Eirik Aavitsland <eirik.aavitsland@qt.io>
|
||
|
|
Date: Thu, 2 Aug 2018 13:11:20 +0200
|
||
|
|
Subject: [PATCH] Fix crash in qppmhandler for certain malformed image files
|
||
|
|
|
||
|
|
The ppm format specifies that the maximum color value field must be
|
||
|
|
less than 65536. The handler did not enforce this, leading to
|
||
|
|
potentional overflow when the value was used in 16 bits context.
|
||
|
|
|
||
|
|
Task-number: QTBUG-69449
|
||
|
|
Change-Id: Iea7a7e0f8953ec1ea8571e215687d12a9d77e11c
|
||
|
|
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
|
||
|
|
(cherry picked from commit 8c4207dddf9b2af0767de2ef0a10652612d462a5)
|
||
|
|
(cherry picked from commit 805dce07b9797f5f2770a9d2c58d6d381784ca25)
|
||
|
|
---
|
||
|
|
src/gui/image/qppmhandler.cpp | 2 +-
|
||
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
|
||
|
|
diff --git a/src/gui/image/qppmhandler.cpp b/src/gui/image/qppmhandler.cpp
|
||
|
|
index 6eb35e15586..307dcc693d5 100644
|
||
|
|
--- a/src/gui/image/qppmhandler.cpp
|
||
|
|
+++ b/src/gui/image/qppmhandler.cpp
|
||
|
|
@@ -108,7 +108,7 @@ static bool read_pbm_header(QIODevice *device, char& type, int& w, int& h, int&
|
||
|
|
else
|
||
|
|
mcc = read_pbm_int(device); // get max color component
|
||
|
|
|
||
|
|
- if (w <= 0 || w > 32767 || h <= 0 || h > 32767 || mcc <= 0)
|
||
|
|
+ if (w <= 0 || w > 32767 || h <= 0 || h > 32767 || mcc <= 0 || mcc > 0xffff)
|
||
|
|
return false; // weird P.M image
|
||
|
|
|
||
|
|
return true;
|
||
|
|
--
|
||
|
|
2.16.3
|
||
|
|
|
||
|
|
|