Fix crash in qppmhandler for certain malformed image files

The ppm format specifies that the maximum color value field must be less than 65536. The handler did not enforce this, leading to potentional overflow when the value was used in 16 bits context. Task-number: QTBUG-69449 Change-Id: Iea7a7e0f8953ec1ea8571e215687d12a9d77e11c Reviewed-by: Lars Knoll <lars.knoll@qt.io> (cherry picked from commit 8c4207dddf9b2af0767de2ef0a10652612d462a5) (cherry picked from commit 805dce07b9797f5f2770a9d2c58d6d381784ca25)
author: Eirik Aavitsland <eirik.aavitsland@qt.io> 2018-08-02 13:11:20 +0200
committer: Eirik Aavitsland <eirik.aavitsland@qt.io> 2018-08-09 09:26:12 +0000
commit: b7321368924c4dbed81aa008d76ebfb1dffd7e60 (patch)
tree: 48eaacbbe53d86b1dd8a24070e03e6167fda4535
parent: 3570cdc10d0008c7dc9858cd8a38d1934ee62fdb (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/gui/image/qppmhandler.cpp b/src/gui/image/qppmhandler.cpp
index 6eb35e1558..307dcc693d 100644
--- a/src/gui/image/qppmhandler.cpp
+++ b/src/gui/image/qppmhandler.cpp
@@ -108,7 +108,7 @@ static bool read_pbm_header(QIODevice *device, char& type, int& w, int& h, int&
     else
         mcc = read_pbm_int(device);               // get max color component
 
-    if (w <= 0 || w > 32767 || h <= 0 || h > 32767 || mcc <= 0)
+    if (w <= 0 || w > 32767 || h <= 0 || h > 32767 || mcc <= 0 || mcc > 0xffff)
         return false;                                        // weird P.M image
 
     return true;
author	Eirik Aavitsland <eirik.aavitsland@qt.io>	2018-08-02 13:11:20 +0200
committer	Eirik Aavitsland <eirik.aavitsland@qt.io>	2018-08-09 09:26:12 +0000
commit	b7321368924c4dbed81aa008d76ebfb1dffd7e60 (patch)
tree	48eaacbbe53d86b1dd8a24070e03e6167fda4535
parent	3570cdc10d0008c7dc9858cd8a38d1934ee62fdb (diff)