Fix buffer overflow in XBM parser

Avoid parsing over the buffer limit, or interpreting non-hex as hex. This still leaves parsing of lines longer than 300 chars unreliable Change-Id: I1c57a7e530c4380f6f9040b2ec729ccd7dc7a5fb Pick-to: 5.15 5.12 Reviewed-by: Robert Loehning <robert.loehning@qt.io> Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2020-07-23 11:48:48 +0200
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2020-07-24 10:06:57 +0200
commit: c562c1fc19629fb505acd0f6380604840b634211 (patch)
tree: 5e7dcf976027c3c60a6dfaa1b7fae90315a7e08f /src/gui/image/qxbmhandler.cpp
parent: 61a50b2b9b5bca5482e3ce981f4ed6d031a6255a (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/src/gui/image/qxbmhandler.cpp b/src/gui/image/qxbmhandler.cpp
index 1de045730f..39f379520e 100644
--- a/src/gui/image/qxbmhandler.cpp
+++ b/src/gui/image/qxbmhandler.cpp
@@ -161,7 +161,9 @@ static bool read_xbm_body(QIODevice *device, int w, int h, QImage *outImage)
     w = (w+7)/8;                                // byte width
 
     while (y < h) {                                // for all encoded bytes...
-        if (p) {                                // p = "0x.."
+        if (p && p < (buf + readBytes - 3)) {      // p = "0x.."
+            if (!isxdigit(p[2]) || !isxdigit(p[3]))
+                return false;
             *b++ = hex2byte(p+2);
             p += 2;
             if (++x == w && ++y < h) {
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2020-07-23 11:48:48 +0200
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2020-07-24 10:06:57 +0200
commit	c562c1fc19629fb505acd0f6380604840b634211 (patch)
tree	5e7dcf976027c3c60a6dfaa1b7fae90315a7e08f /src/gui/image/qxbmhandler.cpp
parent	61a50b2b9b5bca5482e3ce981f4ed6d031a6255a (diff)