Fix crash in tqimage for certain malformed ppm image files

The ppm format specifies that the maximum color value field must be less than 65536. The handler did not enforce this, leading to potentional overflow when the value was used in 16 bits context. Based on Qt5 patch for CVE-2018-19872. Signed-off-by: Slávek Banko <[email protected]> (cherry picked from commit b08a6d71ba872e67b75a822fcd44670126975818)
author: Slávek Banko <[email protected]> 2019-11-01 01:59:59 +0100
committer: Slávek Banko <[email protected]> 2019-12-18 17:55:09 +0100
commit: d8d67a842b11ba1b0c2ce83d7168670941499dbf (patch)
tree: afb383e6dc829e8c986a62fffdeb8d245ba07b7e /src/kernel
parent: 361ea8bcf0e5c5f21f9c640d03acf8f63d692cf2 (diff)
download: qt3-d8d67a842b11ba1b0c2ce83d7168670941499dbf.tar.gz
qt3-d8d67a842b11ba1b0c2ce83d7168670941499dbf.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/src/kernel/qimage.cpp b/src/kernel/qimage.cpp
index 8dd71be..4bb9947 100644
--- a/src/kernel/qimage.cpp
+++ b/src/kernel/qimage.cpp
@@ -5196,7 +5196,7 @@ static void read_pbm_image( QImageIO *iio )	// read PBM image data
 	mcc = 1;				// ignore max color component
     else
 	mcc = read_pbm_int( d );		// get max color component
-    if ( w <= 0 || w > 32767 || h <= 0 || h > 32767 || mcc <= 0 )
+    if ( w <= 0 || w > 32767 || h <= 0 || h > 32767 || mcc <= 0 || mcc > 0xffff )
 	return;					// weird P.M image
 
     int maxc = mcc;
author	Slávek Banko <[email protected]>	2019-11-01 01:59:59 +0100
committer	Slávek Banko <[email protected]>	2019-12-18 17:55:09 +0100
commit	d8d67a842b11ba1b0c2ce83d7168670941499dbf (patch)
tree	afb383e6dc829e8c986a62fffdeb8d245ba07b7e /src/kernel
parent	361ea8bcf0e5c5f21f9c640d03acf8f63d692cf2 (diff)
download	qt3-d8d67a842b11ba1b0c2ce83d7168670941499dbf.tar.gz qt3-d8d67a842b11ba1b0c2ce83d7168670941499dbf.zip