[PATCH] Add clamping to QColorTransferGenericFunction

This ensures that the inputs are within range for the use of these
function.

Depending on the values passed, they can trigger FE_INVALID errors
and thus NaN as return values.

This can happen for example when feeding an invalid ICC profile to
QColorSpace::fromIccProfile.

Credit to OSS-Fuzz

Fixes: QTBUG-137159
Origin: upstream, https://download.qt.io/official_releases/qt/6.8/CVE-2025-5992-qtbase-6.8.patch

Gbp-Pq: Name upstream_cve-2025-5992_input_range_qcolortransformation.diff

diff --git a/src/gui/painting/qcolortransfergeneric_p.h b/src/gui/painting/qcolortransfergeneric_p.h
index f9052509df5dbb9fef84fbef03510797bec31dca..6983651794d824a21df4d157042fab08797c1424 100644 (file)
--- a/src/gui/painting/qcolortransfergeneric_p.h
+++ b/src/gui/painting/qcolortransfergeneric_p.h
@@ -66,6 +66,7 @@ private:
     // HLG from linear [0-12] -> [0-1]
     static float hlgFromLinear(float x)
     {
+        x = std::clamp(x, 0.f, 12.f);
         if (x > 1.f)
             return m_hlg_a * std::log(x - m_hlg_b) + m_hlg_c;
         return std::sqrt(x * 0.25f);
@@ -74,6 +75,7 @@ private:
     // HLG to linear [0-1] -> [0-12]
     static float hlgToLinear(float x)
     {
+        x = std::clamp(x, 0.f, 1.f);
         if (x < 0.5f)
             return (x * x) * 4.f;
         return std::exp((x - m_hlg_c) / m_hlg_a) + m_hlg_b;
@@ -87,6 +89,7 @@ private:
     // PQ to linear [0-1] -> [0-64]
     static float pqToLinear(float e)
     {
+        e = std::clamp(e, 0.f, 1.f);
         // m2-th root of E'
         const float eRoot = std::pow(e, 1.f / m_pq_m2);
         // rational transform
@@ -100,6 +103,7 @@ private:
     // PQ from linear [0-64] -> [0-1]
     static float pqFromLinear(float fd)
     {
+        fd = std::clamp(fd, 0.f, 64.f);
         // scale Fd to Y
         const float y = fd * (1.f / m_pq_f);
         // yRoot = Y^m1 -- "root" because m1 is <1