aboutsummaryrefslogtreecommitdiffstats
path: root/community/qt5-qtbase/fix-buffer-overflow-in-xbm-parser.patch
diff options
context:
space:
mode:
Diffstat (limited to 'community/qt5-qtbase/fix-buffer-overflow-in-xbm-parser.patch')
-rw-r--r--community/qt5-qtbase/fix-buffer-overflow-in-xbm-parser.patch88
1 files changed, 88 insertions, 0 deletions
diff --git a/community/qt5-qtbase/fix-buffer-overflow-in-xbm-parser.patch b/community/qt5-qtbase/fix-buffer-overflow-in-xbm-parser.patch
new file mode 100644
index 0000000000..16a0cef127
--- /dev/null
+++ b/community/qt5-qtbase/fix-buffer-overflow-in-xbm-parser.patch
@@ -0,0 +1,88 @@
+From 1616c71921b73b227f56ccb3f2c49a994ec23440 Mon Sep 17 00:00:00 2001
+From: Allan Sandfeld Jensen <allan.jensen@qt.io>
+Date: Thu, 23 Jul 2020 11:48:48 +0200
+Subject: [PATCH] Fix buffer overflow in XBM parser
+
+Avoid parsing over the buffer limit, or interpreting non-hex
+as hex.
+
+This still leaves parsing of lines longer than 300 chars
+unreliable
+
+Change-Id: I1c57a7e530c4380f6f9040b2ec729ccd7dc7a5fb
+Reviewed-by: Robert Loehning <robert.loehning@qt.io>
+Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
+(cherry picked from commit c562c1fc19629fb505acd0f6380604840b634211)
+Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
+---
+
+diff --git a/src/gui/image/qxbmhandler.cpp b/src/gui/image/qxbmhandler.cpp
+index f065616..72ce7f7 100644
+--- a/src/gui/image/qxbmhandler.cpp
++++ b/src/gui/image/qxbmhandler.cpp
+@@ -159,7 +159,9 @@
+ w = (w+7)/8; // byte width
+
+ while (y < h) { // for all encoded bytes...
+- if (p) { // p = "0x.."
++ if (p && p < (buf + readBytes - 3)) { // p = "0x.."
++ if (!isxdigit(p[2]) || !isxdigit(p[3]))
++ return false;
+ *b++ = hex2byte(p+2);
+ p += 2;
+ if (++x == w && ++y < h) {
+diff --git a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
+index cf8a0d1..984a7c7 100644
+--- a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
++++ b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
+@@ -175,6 +175,8 @@
+
+ void xpmBufferOverflow();
+
++ void xbmBufferHandling();
++
+ private:
+ QString prefix;
+ QTemporaryDir m_temporaryDir;
+@@ -2055,5 +2057,41 @@
+ QImageReader(":/images/oss-fuzz-23988.xpm").read();
+ }
+
++void tst_QImageReader::xbmBufferHandling()
++{
++ uint8_t original_buffer[256];
++ for (int i = 0; i < 256; ++i)
++ original_buffer[i] = i;
++
++ QImage image(original_buffer, 256, 8, QImage::Format_MonoLSB);
++ image.setColorTable({0xff000000, 0xffffffff});
++
++ QByteArray buffer;
++ {
++ QBuffer buf(&buffer);
++ QImageWriter writer(&buf, "xbm");
++ writer.write(image);
++ }
++
++ QCOMPARE(QImage::fromData(buffer, "xbm"), image);
++
++ auto i = buffer.indexOf(',');
++ buffer.insert(i + 1, " ");
++ QCOMPARE(QImage::fromData(buffer, "xbm"), image);
++ buffer.insert(i + 1, " ");
++ QCOMPARE(QImage::fromData(buffer, "xbm"), image);
++ buffer.insert(i + 1, " ");
++#if 0 // Lines longer than 300 chars not supported currently
++ QCOMPARE(QImage::fromData(buffer, "xbm"), image);
++#endif
++
++ i = buffer.lastIndexOf("\n ");
++ buffer.truncate(i + 1);
++ buffer.append(QByteArray(297, ' '));
++ buffer.append("0x");
++ // Only check we get no buffer overflow
++ QImage::fromData(buffer, "xbm");
++}
++
+ QTEST_MAIN(tst_QImageReader)
+ #include "tst_qimagereader.moc"