fix buffer overflow in XBM parser

author Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>

Sun, 20 Sep 2020 19:01:50 +0000 (20:01 +0100)

committer Adrian Bunk <bunk@debian.org>

Sun, 20 Sep 2020 19:01:50 +0000 (20:01 +0100)
author Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Sun, 20 Sep 2020 19:01:50 +0000 (20:01 +0100)
committer Adrian Bunk <bunk@debian.org>
Sun, 20 Sep 2020 19:01:50 +0000 (20:01 +0100)
diff --git a/src/gui/image/qxbmhandler.cpp b/src/gui/image/qxbmhandler.cpp

index 414e82331755a415249306241f09bcaad905148b..2824480b5ba4df4f81fb4e2bdac0e87a9aa5d7df 100644 (file)
--- a/src/gui/image/qxbmhandler.cpp
+++ b/src/gui/image/qxbmhandler.cpp
@@ -154,7 +154,9 @@ static bool read_xbm_body(QIODevice *device, int w, int h, QImage *outImage)
      w = (w+7)/8;                                // byte width
  
      while (y < h) {                                // for all encoded bytes...
-        if (p) {                                // p = "0x.."
+        if (p && p < (buf + readBytes - 3)) {      // p = "0x.."
+            if (!isxdigit(p[2]) || !isxdigit(p[3]))
+                return false;
              *b++ = hex2byte(p+2);
              p += 2;
              if (++x == w && ++y < h) {
author	Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
	Sun, 20 Sep 2020 19:01:50 +0000 (20:01 +0100)
committer	Adrian Bunk <bunk@debian.org>
	Sun, 20 Sep 2020 19:01:50 +0000 (20:01 +0100)