From a2501fff818971a375a927038792140aed6ef4b6 Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Mon, 27 Jun 2022 10:51:58 +0200
Subject: Avoid reading outside allocated buffer

Bound the inverse lookup result on the low end as well.

Pick-to: 6.4 6.3 6.2
Fixes: QTBUG-104583
Change-Id: Id357fe1c39c88776075d737b08fc2864a2b6e829
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
---
 src/gui/painting/qcolortransfertable_p.h | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'src/gui')

diff --git a/src/gui/painting/qcolortransfertable_p.h b/src/gui/painting/qcolortransfertable_p.h
index ac1f843912..4563acf1fa 100644
--- a/src/gui/painting/qcolortransfertable_p.h
+++ b/src/gui/painting/qcolortransfertable_p.h
@@ -105,6 +105,8 @@ public:
             uint32_t i = static_cast<uint32_t>(std::floor(resultLargerThan * (m_tableSize - 1)));
             auto it = std::lower_bound(m_table16.cbegin() + i, m_table16.cend(), v);
             i = it - m_table16.cbegin();
+            if (i == 0)
+                return 0.0f;
             if (i >= m_tableSize - 1)
                 return 1.0f;
             const float y1 = m_table16[i - 1];
@@ -119,6 +121,8 @@ public:
             uint32_t i = static_cast<uint32_t>(std::floor(resultLargerThan * (m_tableSize - 1)));
             auto it = std::lower_bound(m_table8.cbegin() + i, m_table8.cend(), v);
             i = it - m_table8.cbegin();
+            if (i == 0)
+                return 0.0f;
             if (i >= m_tableSize - 1)
                 return 1.0f;
             const float y1 = m_table8[i - 1];
-- 
cgit v1.2.3