[PATCH] Fix crash in qppmhandler for certain malformed image files

The ppm format specifies that the maximum color value field must be
less than 65536. The handler did not enforce this, leading to
potentional overflow when the value was used in 16 bits context.

Task-number: QTBUG-69449
Change-Id: Iea7a7e0f8953ec1ea8571e215687d12a9d77e11c
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
Gbp-Pq: Name CVE-2018-19872.patch

diff --git a/src/gui/image/qppmhandler.cpp b/src/gui/image/qppmhandler.cpp
index 9cacfab2eb95d357392a2a541ab242489c967453..6ab58b2514544e232dd135afe9295bb4a3f3d91e 100644 (file)
--- a/src/gui/image/qppmhandler.cpp
+++ b/src/gui/image/qppmhandler.cpp
@@ -108,7 +108,7 @@ static bool read_pbm_header(QIODevice *device, char& type, int& w, int& h, int&
     else
         mcc = read_pbm_int(device);               // get max color component
 
-    if (w <= 0 || w > 32767 || h <= 0 || h > 32767 || mcc <= 0)
+    if (w <= 0 || w > 32767 || h <= 0 || h > 32767 || mcc <= 0 || mcc > 0xffff)
         return false;                                        // weird P.M image
 
     return true;