Fix crash in tqimage for certain malformed ppm image files

The ppm format specifies that the maximum color value field must be
less than 65536. The handler did not enforce this, leading to
potentional overflow when the value was used in 16 bits context.

Based on Qt5 patch for CVE-2018-19872.

Signed-off-by: Slávek Banko <slavek.banko@axis.cz>
(cherry picked from commit 4470facd61)
r14.0.x r14.0.7
Slávek Banko 5 years ago
parent b90f9cb6ca
commit cd2dc5026e
No known key found for this signature in database
GPG Key ID: 608F5293A04BE668

@ -5196,7 +5196,7 @@ static void read_pbm_image( TQImageIO *iio ) // read PBM image data
mcc = 1; // ignore max color component mcc = 1; // ignore max color component
else else
mcc = read_pbm_int( d ); // get max color component mcc = read_pbm_int( d ); // get max color component
if ( w <= 0 || w > 32767 || h <= 0 || h > 32767 || mcc <= 0 ) if ( w <= 0 || w > 32767 || h <= 0 || h > 32767 || mcc <= 0 || mcc > 0xffff )
return; // weird P.M image return; // weird P.M image
int maxc = mcc; int maxc = mcc;

Loading…
Cancel
Save