From 5b2f75388424995925a0e45654a0d509b290aaa0 Mon Sep 17 00:00:00 2001
From: Robert Loehning <robert.loehning@qt.io>
Date: Thu, 9 Jul 2020 13:33:34 +0200
Subject: Fix buffer overflow

Fixes: oss-fuzz-23988
Change-Id: I4efdbfc3c0a96917c0c8224642896088ade99f35
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
(cherry picked from commit e80be8a43da78b9544f12fbac47e92c7f1f64366)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/gui/image/qxpmhandler.cpp                               | 2 +-
 tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm | 1 +
 tests/auto/gui/image/qimagereader/tst_qimagereader.cpp      | 8 ++++++++
 3 files changed, 10 insertions(+), 1 deletion(-)
 create mode 100644 tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm

diff --git a/src/gui/image/qxpmhandler.cpp b/src/gui/image/qxpmhandler.cpp
index 17272ffe69..417dab7ce3 100644
--- a/src/gui/image/qxpmhandler.cpp
+++ b/src/gui/image/qxpmhandler.cpp
@@ -973,7 +973,7 @@ static bool read_xpm_body(
             } else {
                 char b[16];
                 b[cpp] = '\0';
-                for (x=0; x<w && d<end; x++) {
+                for (x=0; x<w && d+cpp<end; x++) {
                     memcpy(b, (char *)d, cpp);
                     *p++ = (uchar)colorMap[xpmHash(b)];
                     d += cpp;
diff --git a/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm b/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm
new file mode 100644
index 0000000000..7e6c1e4ca2
--- /dev/null
+++ b/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm
@@ -0,0 +1 @@
+/* XPM "20 8 1 7""    ÿÿ c  ÿ"  "             ÿÿÿÿÿÿÿ                " 
\ No newline at end of file
diff --git a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
index 1eee2f273e..0135e48c7d 100644
--- a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
+++ b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
@@ -167,6 +167,8 @@ private slots:
     void devicePixelRatio_data();
     void devicePixelRatio();
 
+    void xpmBufferOverflow();
+
 private:
     QString prefix;
     QTemporaryDir m_temporaryDir;
@@ -2002,5 +2004,11 @@ void tst_QImageReader::devicePixelRatio()
     QCOMPARE(img.devicePixelRatio(), dpr);
 }
 
+void tst_QImageReader::xpmBufferOverflow()
+{
+    // Please note that the overflow only showed when Qt was configured with "-sanitize address".
+    QImageReader(":/images/oss-fuzz-23988.xpm").read();
+}
+
 QTEST_MAIN(tst_QImageReader)
 #include "tst_qimagereader.moc"
-- 
cgit v1.2.3