summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRobert Loehning <robert.loehning@qt.io>2020-07-09 13:33:34 +0200
committerQt Cherry-pick Bot <cherrypick_bot@qt-project.org>2020-07-31 13:08:24 +0000
commit5b2f75388424995925a0e45654a0d509b290aaa0 (patch)
tree0fe0f974069b22fa984eaf54c6b6b9a0146fd5e4
parentb7f2057ab1b3afd5a022dd56a819056ba230f7e9 (diff)
Fix buffer overflow
Fixes: oss-fuzz-23988 Change-Id: I4efdbfc3c0a96917c0c8224642896088ade99f35 Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io> (cherry picked from commit e80be8a43da78b9544f12fbac47e92c7f1f64366) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
Diffstat
-rw-r--r--src/gui/image/qxpmhandler.cpp2
-rw-r--r--tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm1
-rw-r--r--tests/auto/gui/image/qimagereader/tst_qimagereader.cpp8
3 files changed, 10 insertions, 1 deletions
diff --git a/src/gui/image/qxpmhandler.cpp b/src/gui/image/qxpmhandler.cpp
index 17272ffe69..417dab7ce3 100644
--- a/src/gui/image/qxpmhandler.cpp
+++ b/src/gui/image/qxpmhandler.cpp
@@ -973,7 +973,7 @@ static bool read_xpm_body(
} else {
char b[16];
b[cpp] = '\0';
- for (x=0; x<w && d<end; x++) {
+ for (x=0; x<w && d+cpp<end; x++) {
memcpy(b, (char *)d, cpp);
*p++ = (uchar)colorMap[xpmHash(b)];
d += cpp;
diff --git a/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm b/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm
new file mode 100644
index 0000000000..7e6c1e4ca2
--- /dev/null
+++ b/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm
@@ -0,0 +1 @@
+/* XPM "20 8 1 7"" ÿÿ c ÿ" " ÿÿÿÿÿÿÿ " \ No newline at end of file
diff --git a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
index 1eee2f273e..0135e48c7d 100644
--- a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
+++ b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
@@ -167,6 +167,8 @@ private slots:
void devicePixelRatio_data();
void devicePixelRatio();
+ void xpmBufferOverflow();
+
private:
QString prefix;
QTemporaryDir m_temporaryDir;
@@ -2002,5 +2004,11 @@ void tst_QImageReader::devicePixelRatio()
QCOMPARE(img.devicePixelRatio(), dpr);
}
+void tst_QImageReader::xpmBufferOverflow()
+{
+ // Please note that the overflow only showed when Qt was configured with "-sanitize address".
+ QImageReader(":/images/oss-fuzz-23988.xpm").read();
+}
+
QTEST_MAIN(tst_QImageReader)
#include "tst_qimagereader.moc"
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-18 10:15:28 +0000