From 483aff406a8cd9bb824cbd39a0a20619fe9b1fa2 Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@kdab.com>
Date: Wed, 5 Oct 2016 00:10:23 +0200
Subject: QColor: Fix use of uninit'ed value in get_hex_rgb()

If len == 0, we didn't write anything to 'tmp', but get_hex_rgb()
unconditionally reads tmp[0] (aliased to name[0] in get_hex_rgb()).

Fix by terminating the tmp array, thus ensuring that the comparison
against '#' in get_hex_rgb() fails.

Introduced in a41393d0bc05998a7de2dcf872953b6d24b71e96.

Coverity-Id: 171477
Change-Id: I53952aff7035813ed6abc74d402953bc9cfa76f1
Reviewed-by: Giuseppe D'Angelo <giuseppe.dangelo@kdab.com>
---
 src/gui/painting/qcolor.cpp | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src/gui/painting/qcolor.cpp')

diff --git a/src/gui/painting/qcolor.cpp b/src/gui/painting/qcolor.cpp
index 05790c4504..e3dbf663e1 100644
--- a/src/gui/painting/qcolor.cpp
+++ b/src/gui/painting/qcolor.cpp
@@ -131,6 +131,7 @@ static bool get_hex_rgb(const QChar *str, int len, QRgb *rgb)
     char tmp[16];
     for (int i = 0; i < len; ++i)
         tmp[i] = str[i].toLatin1();
+    tmp[len] = 0;
     return get_hex_rgb(tmp, len, rgb);
 }
 
-- 
cgit v1.2.3