Make minimal tag size more accepting

Accept tags between 8 and 12 bytes long, and move the check for 12
bytes to where it is needed.

Pick-to: 6.7 6.5
Fixes: QTBUG-125241
Change-Id: I1a46852a9ab60e7c63f8d74de1809d731912ab5b
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>

1 files changed, 5 insertions, 1 deletions

diff --git a/src/gui/painting/qicc.cpp b/src/gui/painting/qicc.cpp
index c01fa433ea..a2786fbb8b 100644
--- a/src/gui/painting/qicc.cpp
+++ b/src/gui/painting/qicc.cpp
@@ -559,6 +559,8 @@ static bool parseXyzData(const QByteArray &data, const TagEntry &tagEntry, QColo
 
 static quint32 parseTRC(const QByteArrayView &tagData, QColorTrc &gamma, QColorTransferTable::Type type = QColorTransferTable::TwoWay)
 {
+    if (tagData.size() < 12)
+        return 0;
     const GenericTagData trcData = qFromUnaligned<GenericTagData>(tagData.constData());
     if (trcData.type == quint32(Tag::curv)) {
         Q_STATIC_ASSERT(sizeof(CurvTagData) == 12);
@@ -1067,6 +1069,8 @@ static bool parseDesc(const QByteArray &data, const TagEntry &tagEntry, QString
 
     // Either 'desc' (ICCv2) or 'mluc' (ICCv4)
     if (tag.type == quint32(Tag::desc)) {
+        if (tagEntry.size < sizeof(DescTagData))
+            return false;
         Q_STATIC_ASSERT(sizeof(DescTagData) == 12);
         const DescTagData desc = qFromUnaligned<DescTagData>(data.constData() + tagEntry.offset);
         const quint32 len = desc.asciiDescriptionLength;
@@ -1287,7 +1291,7 @@ bool fromIccProfile(const QByteArray &data, QColorSpace *colorSpace)
             qCWarning(lcIcc) << "fromIccProfile: failed tag offset sanity 2";
             return false;
         }
-        if (tagTable.size < 12) {
+        if (tagTable.size < 8) {
             qCWarning(lcIcc) << "fromIccProfile: failed minimal tag size sanity";
             return false;
         }