From cd2dc5026e152d6cf57895fe4f41cabdf2bb3eca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sl=C3=A1vek=20Banko?= Date: Fri, 1 Nov 2019 01:59:59 +0100 Subject: [PATCH] Fix crash in tqimage for certain malformed ppm image files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The ppm format specifies that the maximum color value field must be less than 65536. The handler did not enforce this, leading to potentional overflow when the value was used in 16 bits context. Based on Qt5 patch for CVE-2018-19872. Signed-off-by: Slávek Banko (cherry picked from commit 4470facd61b6d9fd862f70ce56f22ab502415d23) --- src/kernel/qimage.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/kernel/qimage.cpp b/src/kernel/qimage.cpp index 0d7b9aaa..00608e79 100644 --- a/src/kernel/qimage.cpp +++ b/src/kernel/qimage.cpp @@ -5196,7 +5196,7 @@ static void read_pbm_image( TQImageIO *iio ) // read PBM image data mcc = 1; // ignore max color component else mcc = read_pbm_int( d ); // get max color component - if ( w <= 0 || w > 32767 || h <= 0 || h > 32767 || mcc <= 0 ) + if ( w <= 0 || w > 32767 || h <= 0 || h > 32767 || mcc <= 0 || mcc > 0xffff ) return; // weird P.M image int maxc = mcc;