diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2021-01-26 12:07:53 +0100 |
---|---|---|
committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2021-01-28 09:03:12 +0000 |
commit | 5cf3220eba524fc2ed9c2f832b1bd6170624b039 (patch) | |
tree | 7653d611fd5a96a6bc99bc6da419076e4a341fc8 /src/gui | |
parent | d8f661838d09690d339d8e33eeb6388b1f060adf (diff) |
Protect against sign-change of size on 32bit
Since qsizetype is signed and the profileSize unsigned, it can turn
negative circumventing the test here.
Fixes oss-fuzz issue 29278.
Change-Id: I1e211c78db6f4ff150613f52d8fc29807f0088ff
Reviewed-by: Robert Löhning <robert.loehning@qt.io>
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
(cherry picked from commit 05741b404ad5a8f9a490191a347e67c61456a89c)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
Diffstat (limited to 'src/gui')
-rw-r--r-- | src/gui/painting/qicc.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/gui/painting/qicc.cpp b/src/gui/painting/qicc.cpp index 5236f472a5..401b6f5d8e 100644 --- a/src/gui/painting/qicc.cpp +++ b/src/gui/painting/qicc.cpp @@ -650,7 +650,7 @@ bool fromIccProfile(const QByteArray &data, QColorSpace *colorSpace) const ICCProfileHeader header = qFromUnaligned<ICCProfileHeader>(data.constData()); if (!isValidIccProfile(header)) return false; // if failed we already printing a warning - if (qsizetype(header.profileSize) > data.size()) { + if (qsizetype(header.profileSize) > data.size() || qsizetype(header.profileSize) < qsizetype(sizeof(ICCProfileHeader))) { qCWarning(lcIcc) << "fromIccProfile: failed size sanity 2"; return false; } |