From f16f194a62a775641e28ef820ca1523d26625395 Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Tue, 26 Jan 2021 12:07:53 +0100
Subject: Protect against sign-change of size on 32bit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Since qsizetype is signed and the profileSize unsigned, it can turn
negative circumventing the test here.

Fixes oss-fuzz issue 29278.

Change-Id: I1e211c78db6f4ff150613f52d8fc29807f0088ff
Reviewed-by: Robert Löhning <robert.loehning@qt.io>
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
(cherry picked from commit 05741b404ad5a8f9a490191a347e67c61456a89c)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/gui/painting/qicc.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/gui')

diff --git a/src/gui/painting/qicc.cpp b/src/gui/painting/qicc.cpp
index 5e30ace549..149a67655a 100644
--- a/src/gui/painting/qicc.cpp
+++ b/src/gui/painting/qicc.cpp
@@ -646,7 +646,7 @@ bool fromIccProfile(const QByteArray &data, QColorSpace *colorSpace)
     const ICCProfileHeader header = qFromUnaligned<ICCProfileHeader>(data.constData());
     if (!isValidIccProfile(header))
         return false; // if failed we already printing a warning
-    if (qsizetype(header.profileSize) > data.size()) {
+    if (qsizetype(header.profileSize) > data.size() || qsizetype(header.profileSize) < qsizetype(sizeof(ICCProfileHeader))) {
         qCWarning(lcIcc) << "fromIccProfile: failed size sanity 2";
         return false;
     }
-- 
cgit v1.2.3