From: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Date: Sun, 20 Sep 2020 19:01:50 +0000 (+0100)
Subject: fix buffer overflow in XBM parser
X-Git-Tag: archive/raspbian/4%4.8.7+dfsg-11+rpi1+deb9u1^2~47
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=5b5252071af9a7f454d8804ec481d716cca7e892;p=qt4-x11.git

fix buffer overflow in XBM parser

Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=1616c71921b73b22
Last-Update: 2020-08-18


Gbp-Pq: Name CVE-2020-17507.patch
---

diff --git a/src/gui/image/qxbmhandler.cpp b/src/gui/image/qxbmhandler.cpp
index 414e82331..2824480b5 100644
--- a/src/gui/image/qxbmhandler.cpp
+++ b/src/gui/image/qxbmhandler.cpp
@@ -154,7 +154,9 @@ static bool read_xbm_body(QIODevice *device, int w, int h, QImage *outImage)
     w = (w+7)/8;                                // byte width
 
     while (y < h) {                                // for all encoded bytes...
-        if (p) {                                // p = "0x.."
+        if (p && p < (buf + readBytes - 3)) {      // p = "0x.."
+            if (!isxdigit(p[2]) || !isxdigit(p[3]))
+                return false;
             *b++ = hex2byte(p+2);
             p += 2;
             if (++x == w && ++y < h) {