Protect against sign-change of size on 32bit

Since qsizetype is signed and the profileSize unsigned, it can turn negative circumventing the test here. Fixes oss-fuzz issue 29278. Change-Id: I1e211c78db6f4ff150613f52d8fc29807f0088ff Reviewed-by: Robert Löhning <robert.loehning@qt.io> Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io> (cherry picked from commit 05741b404ad5a8f9a490191a347e67c61456a89c) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2021-01-26 12:07:53 +0100
committer: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> 2021-01-27 15:35:17 +0000
commit: f16f194a62a775641e28ef820ca1523d26625395 (patch)
tree: 33644d73cb2c123aac5606479f40287a30909838
parent: 54980200c79b466a276a4d3054390e4b3162e9ed (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/gui/painting/qicc.cpp b/src/gui/painting/qicc.cpp
index 5e30ace549..149a67655a 100644
--- a/src/gui/painting/qicc.cpp
+++ b/src/gui/painting/qicc.cpp
@@ -646,7 +646,7 @@ bool fromIccProfile(const QByteArray &data, QColorSpace *colorSpace)
     const ICCProfileHeader header = qFromUnaligned<ICCProfileHeader>(data.constData());
     if (!isValidIccProfile(header))
         return false; // if failed we already printing a warning
-    if (qsizetype(header.profileSize) > data.size()) {
+    if (qsizetype(header.profileSize) > data.size() || qsizetype(header.profileSize) < qsizetype(sizeof(ICCProfileHeader))) {
         qCWarning(lcIcc) << "fromIccProfile: failed size sanity 2";
         return false;
     }
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2021-01-26 12:07:53 +0100
committer	Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>	2021-01-27 15:35:17 +0000
commit	f16f194a62a775641e28ef820ca1523d26625395 (patch)
tree	33644d73cb2c123aac5606479f40287a30909838
parent	54980200c79b466a276a4d3054390e4b3162e9ed (diff)