Fix out-of-buffer in ICC curv parsing

After the unaligned ICC profile fix, we could read 2 bytes past the end of the buffer for curv elements with 0 parameters, though we wouldn't use or return the data. Pick-to: 6.1 6.0 5.15 Change-Id: Ibea9fa2840c01d690716d8f48e301fbfa67aa163 Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2021-02-26 09:59:53 +0100
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2021-02-28 17:45:05 +0000
commit: 840c8b4de2556c22d8b131573a338268dd0107a5 (patch)
tree: d42ec0e399626e8e5cda642c906d4de289eb7566 /src/gui
parent: 9d6ba110e8f98463d136fa97993db6d1968479c1 (diff)
1 files changed, 6 insertions, 5 deletions
diff --git a/src/gui/painting/qicc.cpp b/src/gui/painting/qicc.cpp
index 028e800c48..09ac40b50e 100644
--- a/src/gui/painting/qicc.cpp
+++ b/src/gui/painting/qicc.cpp
@@ -165,7 +165,7 @@ struct XYZTagData : GenericTagData {
 
 struct CurvTagData : GenericTagData {
     quint32_be valueCount;
-    quint16_be value[1];
+    // followed by curv values: quint16_be[]
 };
 
 struct ParaTagData : GenericTagData {
@@ -470,25 +470,26 @@ bool parseTRC(const QByteArray &data, const TagEntry &tagEntry, QColorTrc &gamma
     const GenericTagData trcData = qFromUnaligned<GenericTagData>(data.constData()
                                                                   + tagEntry.offset);
     if (trcData.type == quint32(Tag::curv)) {
+        Q_STATIC_ASSERT(sizeof(CurvTagData) == 12);
         const CurvTagData curv = qFromUnaligned<CurvTagData>(data.constData() + tagEntry.offset);
         if (curv.valueCount > (1 << 16))
             return false;
         if (tagEntry.size - 12 < 2 * curv.valueCount)
             return false;
+        const auto valueOffset = tagEntry.offset + sizeof(CurvTagData);
         if (curv.valueCount == 0) {
             gamma.m_type = QColorTrc::Type::Function;
             gamma.m_fun = QColorTransferFunction(); // Linear
         } else if (curv.valueCount == 1) {
-            float g = curv.value[0] * (1.0f / 256.0f);
+            const quint16 v = qFromBigEndian<quint16>(data.constData() + valueOffset);
             gamma.m_type = QColorTrc::Type::Function;
-            gamma.m_fun = QColorTransferFunction::fromGamma(g);
+            gamma.m_fun = QColorTransferFunction::fromGamma(v * (1.0f / 256.0f));
         } else {
             QList<quint16> tabl;
             tabl.resize(curv.valueCount);
             static_assert(sizeof(GenericTagData) == 2 * sizeof(quint32_be),
                           "GenericTagData has padding. The following code is a subject to UB.");
-            const auto offset = tagEntry.offset + sizeof(GenericTagData) + sizeof(quint32_be);
-            qFromBigEndian<quint16>(data.constData() + offset, curv.valueCount, tabl.data());
+            qFromBigEndian<quint16>(data.constData() + valueOffset, curv.valueCount, tabl.data());
             QColorTransferTable table = QColorTransferTable(curv.valueCount, std::move(tabl));
             QColorTransferFunction curve;
             if (!table.checkValidity()) {
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2021-02-26 09:59:53 +0100
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2021-02-28 17:45:05 +0000
commit	840c8b4de2556c22d8b131573a338268dd0107a5 (patch)
tree	d42ec0e399626e8e5cda642c906d4de289eb7566 /src/gui
parent	9d6ba110e8f98463d136fa97993db6d1968479c1 (diff)