projects / qtbase-opensource-src.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2f66cf8)
fix buffer overflow in XBM parser
authorDebian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Wed, 19 Aug 2020 17:40:32 +0000 (18:40 +0100)
committerDmitry Shachnev <mitya57@debian.org>
Wed, 19 Aug 2020 17:40:32 +0000 (18:40 +0100)
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=1616c71921b73b22
Last-Update: 2020-08-18

Gbp-Pq: Name CVE-2020-17507.diff

src/gui/image/qxbmhandler.cpp patch | blob | history

diff --git a/src/gui/image/qxbmhandler.cpp b/src/gui/image/qxbmhandler.cpp
index 3cd15b3e4d4e4ff8b6a7e6eb0c6e737e3b0716f7..355cae548f53e89e187062d7c7bb78305ae36128 100644 (file)
--- a/src/gui/image/qxbmhandler.cpp
+++ b/src/gui/image/qxbmhandler.cpp
@@ -159,7 +159,9 @@ static bool read_xbm_body(QIODevice *device, int w, int h, QImage *outImage)
     w = (w+7)/8;                                // byte width
 
     while (y < h) {                                // for all encoded bytes...
-        if (p) {                                // p = "0x.."
+        if (p && p < (buf + readBytes - 3)) {      // p = "0x.."
+            if (!isxdigit(p[2]) || !isxdigit(p[3]))
+                return false;
             *b++ = hex2byte(p+2);
             p += 2;
             if (++x == w && ++y < h) {
Unnamed repository; edit this file 'description' to name the repository.