diff options
author | Robert Loehning <robert.loehning@qt.io> | 2020-07-09 13:33:34 +0200 |
---|---|---|
committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2020-07-31 13:08:24 +0000 |
commit | 5b2f75388424995925a0e45654a0d509b290aaa0 (patch) | |
tree | 0fe0f974069b22fa984eaf54c6b6b9a0146fd5e4 | |
parent | b7f2057ab1b3afd5a022dd56a819056ba230f7e9 (diff) |
Fix buffer overflow
Fixes: oss-fuzz-23988
Change-Id: I4efdbfc3c0a96917c0c8224642896088ade99f35
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
(cherry picked from commit e80be8a43da78b9544f12fbac47e92c7f1f64366)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
-rw-r--r-- | src/gui/image/qxpmhandler.cpp | 2 | ||||
-rw-r--r-- | tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm | 1 | ||||
-rw-r--r-- | tests/auto/gui/image/qimagereader/tst_qimagereader.cpp | 8 |
3 files changed, 10 insertions, 1 deletions
diff --git a/src/gui/image/qxpmhandler.cpp b/src/gui/image/qxpmhandler.cpp index 17272ffe69..417dab7ce3 100644 --- a/src/gui/image/qxpmhandler.cpp +++ b/src/gui/image/qxpmhandler.cpp @@ -973,7 +973,7 @@ static bool read_xpm_body( } else { char b[16]; b[cpp] = '\0'; - for (x=0; x<w && d<end; x++) { + for (x=0; x<w && d+cpp<end; x++) { memcpy(b, (char *)d, cpp); *p++ = (uchar)colorMap[xpmHash(b)]; d += cpp; diff --git a/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm b/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm new file mode 100644 index 0000000000..7e6c1e4ca2 --- /dev/null +++ b/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm @@ -0,0 +1 @@ +/* XPM "20 8 1 7"" ÿÿ c ÿ" " ÿÿÿÿÿÿÿ "
\ No newline at end of file diff --git a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp index 1eee2f273e..0135e48c7d 100644 --- a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp +++ b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp @@ -167,6 +167,8 @@ private slots: void devicePixelRatio_data(); void devicePixelRatio(); + void xpmBufferOverflow(); + private: QString prefix; QTemporaryDir m_temporaryDir; @@ -2002,5 +2004,11 @@ void tst_QImageReader::devicePixelRatio() QCOMPARE(img.devicePixelRatio(), dpr); } +void tst_QImageReader::xpmBufferOverflow() +{ + // Please note that the overflow only showed when Qt was configured with "-sanitize address". + QImageReader(":/images/oss-fuzz-23988.xpm").read(); +} + QTEST_MAIN(tst_QImageReader) #include "tst_qimagereader.moc" |