TGA Plugin: Fix reading of CMapDepth

It's specified to be one byte but the old code used to read an int of
two bytes. Maybe this wasn't noticed because the following byte often
has a value of zero.

This fixes oss-fuzz issue 50741 which is an integer
overflow resulting from the too large value.

[ChangeLog] Fixed reading of TGA files with a non-zero X-origin

Change-Id: I989bffd0e4e03caf6737e1ce085247ed54e40db0
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
Reviewed-by: Robert Löhning <robert.loehning@qt.io>
(cherry picked from commit feb7864054886bfb8a99d0f8e3a06ae120f97e62)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>

1 files changed, 12 insertions, 3 deletions

diff --git a/src/plugins/imageformats/tga/qtgafile.cpp b/src/plugins/imageformats/tga/qtgafile.cpp
index 3f90043..25220d5 100644
--- a/src/plugins/imageformats/tga/qtgafile.cpp
+++ b/src/plugins/imageformats/tga/qtgafile.cpp
@@ -220,9 +220,18 @@ QImage QTgaFile::readImage()
 
     int offset = mHeader[IdLength];  // Mostly always zero
 
-    // Even in TrueColor files a color pallette may be present
-    if (mHeader[ColorMapType] == 1)
-        offset += littleEndianInt(&mHeader[CMapLength]) * littleEndianInt(&mHeader[CMapDepth]);
+    // Even in TrueColor files a color palette may be present so we have to check it here
+    // even we only support image type 2 (= uncompressed true-color image)
+    if (mHeader[ColorMapType] == 1) {
+        int cmapDepth = mHeader[CMapDepth];
+        if (cmapDepth == 15)    // 15 bit is stored as 16 bit + ignoring the highest bit (no alpha)
+            cmapDepth = 16;
+        if (cmapDepth != 16 && cmapDepth != 24 && cmapDepth != 32) {
+            mErrorMessage = tr("Invalid color map depth (%1)").arg(cmapDepth);
+            return {};
+        }
+        offset += littleEndianInt(&mHeader[CMapLength]) * cmapDepth / 8;
+    }
 
     mDevice->seek(HeaderSize + offset);