Fix buffer overflow

Fixes: oss-fuzz-23988 Pick-to: 5.15 5.12 Change-Id: I4efdbfc3c0a96917c0c8224642896088ade99f35 Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
2020-07-09 13:33:34 +02:00 · 2020-07-09 13:33:34 +02:00 · e80be8a43d
commit e80be8a43d
parent 744e55b85a
3 changed files with 10 additions and 1 deletions
--- a/src/gui/image/qxpmhandler.cpp
+++ b/src/gui/image/qxpmhandler.cpp
@ -976,7 +976,7 @@ static bool read_xpm_body(
            } else {
                char b[16];
                b[cpp] = '\0';
-                for (x=0; x<w && d<end; x++) {
+                for (x=0; x<w && d+cpp<end; x++) {
                    memcpy(b, (char *)d, cpp);
                    *p++ = (uchar)colorMap[xpmHash(b)];
                    d += cpp;
--- a/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm
+++ b/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm
@ -0,0 +1 @@
+/* XPM "20 8 1 7""    <20><> c  <20>"  "             <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>                " 
--- a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
+++ b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
@ -173,6 +173,8 @@ private slots:
    void devicePixelRatio_data();
    void devicePixelRatio();

+    void xpmBufferOverflow();
+
 private:
    QString prefix;
    QTemporaryDir m_temporaryDir;
@ -2047,5 +2049,11 @@ void tst_QImageReader::devicePixelRatio()
    QCOMPARE(img.devicePixelRatio(), dpr);
 }

+void tst_QImageReader::xpmBufferOverflow()
+{
+    // Please note that the overflow only showed when Qt was configured with "-sanitize address".
+    QImageReader(":/images/oss-fuzz-23988.xpm").read();
+}
+
 QTEST_MAIN(tst_QImageReader)
 #include "tst_qimagereader.moc"
				`@ -0,0 +1 @@`
				`/* XPM "20 8 1 7"" <20><> c <20>" " <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "`