3 files changed, 10 insertions, 1 deletions

diff --git a/src/gui/image/qxpmhandler.cpp b/src/gui/image/qxpmhandler.cpp
index 17272ffe69..417dab7ce3 100644
--- a/src/gui/image/qxpmhandler.cpp
+++ b/src/gui/image/qxpmhandler.cpp
@@ -973,7 +973,7 @@ static bool read_xpm_body(
             } else {
                 char b[16];
                 b[cpp] = '\0';
-                for (x=0; x<w && d<end; x++) {
+                for (x=0; x<w && d+cpp<end; x++) {
                     memcpy(b, (char *)d, cpp);
                     *p++ = (uchar)colorMap[xpmHash(b)];
                     d += cpp;
diff --git a/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm b/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm
new file mode 100644
index 0000000000..7e6c1e4ca2
--- /dev/null
+++ b/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm
@@ -0,0 +1 @@
+/* XPM "20 8 1 7""    ÿÿ c  ÿ"  "             ÿÿÿÿÿÿÿ                " 
\ No newline at end of file
diff --git a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
index 1eee2f273e..0135e48c7d 100644
--- a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
+++ b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
@@ -167,6 +167,8 @@ private slots:
     void devicePixelRatio_data();
     void devicePixelRatio();
 
+    void xpmBufferOverflow();
+
 private:
     QString prefix;
     QTemporaryDir m_temporaryDir;
@@ -2002,5 +2004,11 @@ void tst_QImageReader::devicePixelRatio()
     QCOMPARE(img.devicePixelRatio(), dpr);
 }
 
+void tst_QImageReader::xpmBufferOverflow()
+{
+    // Please note that the overflow only showed when Qt was configured with "-sanitize address".
+    QImageReader(":/images/oss-fuzz-23988.xpm").read();
+}
+
 QTEST_MAIN(tst_QImageReader)
 #include "tst_qimagereader.moc"