diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2020-07-23 11:48:48 +0200 |
|---|---|---|
| committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2020-07-24 11:57:45 +0000 |
| commit | 1616c71921b73b227f56ccb3f2c49a994ec23440 (patch) | |
| tree | fc3ef80788c877e799f81586a13de897ed9644bd | |
| parent | ccaaeaad62672db118782055244a21795c410407 (diff) | |
Fix buffer overflow in XBM parser
Avoid parsing over the buffer limit, or interpreting non-hex
as hex.
This still leaves parsing of lines longer than 300 chars
unreliable
Change-Id: I1c57a7e530c4380f6f9040b2ec729ccd7dc7a5fb
Reviewed-by: Robert Loehning <robert.loehning@qt.io>
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
(cherry picked from commit c562c1fc19629fb505acd0f6380604840b634211)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
| -rw-r--r-- | src/gui/image/qxbmhandler.cpp | 4 | ||||
| -rw-r--r-- | tests/auto/gui/image/qimagereader/tst_qimagereader.cpp | 38 |
2 files changed, 41 insertions, 1 deletions
diff --git a/src/gui/image/qxbmhandler.cpp b/src/gui/image/qxbmhandler.cpp index f06561690c..72ce7f7ecd 100644 --- a/src/gui/image/qxbmhandler.cpp +++ b/src/gui/image/qxbmhandler.cpp @@ -159,7 +159,9 @@ static bool read_xbm_body(QIODevice *device, int w, int h, QImage *outImage) w = (w+7)/8; // byte width while (y < h) { // for all encoded bytes... - if (p) { // p = "0x.." + if (p && p < (buf + readBytes - 3)) { // p = "0x.." + if (!isxdigit(p[2]) || !isxdigit(p[3])) + return false; *b++ = hex2byte(p+2); p += 2; if (++x == w && ++y < h) { diff --git a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp index cf8a0d1cff..984a7c7482 100644 --- a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp +++ b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp @@ -175,6 +175,8 @@ private slots: void xpmBufferOverflow(); + void xbmBufferHandling(); + private: QString prefix; QTemporaryDir m_temporaryDir; @@ -2055,5 +2057,41 @@ void tst_QImageReader::xpmBufferOverflow() QImageReader(":/images/oss-fuzz-23988.xpm").read(); } +void tst_QImageReader::xbmBufferHandling() +{ + uint8_t original_buffer[256]; + for (int i = 0; i < 256; ++i) + original_buffer[i] = i; + + QImage image(original_buffer, 256, 8, QImage::Format_MonoLSB); + image.setColorTable({0xff000000, 0xffffffff}); + + QByteArray buffer; + { + QBuffer buf(&buffer); + QImageWriter writer(&buf, "xbm"); + writer.write(image); + } + + QCOMPARE(QImage::fromData(buffer, "xbm"), image); + + auto i = buffer.indexOf(','); + buffer.insert(i + 1, " "); + QCOMPARE(QImage::fromData(buffer, "xbm"), image); + buffer.insert(i + 1, " "); + QCOMPARE(QImage::fromData(buffer, "xbm"), image); + buffer.insert(i + 1, " "); +#if 0 // Lines longer than 300 chars not supported currently + QCOMPARE(QImage::fromData(buffer, "xbm"), image); +#endif + + i = buffer.lastIndexOf("\n "); + buffer.truncate(i + 1); + buffer.append(QByteArray(297, ' ')); + buffer.append("0x"); + // Only check we get no buffer overflow + QImage::fromData(buffer, "xbm"); +} + QTEST_MAIN(tst_QImageReader) #include "tst_qimagereader.moc" |