From: Samuel Gaist Date: Sat, 24 May 2025 19:07:37 +0000 (+0200) Subject: [PATCH] Add clamping to QColorTransferGenericFunction X-Git-Tag: archive/raspbian/6.8.2+dfsg-9+rpi1^2~20 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=76291eb59a14b2b9e90ea5b056dc3f59e1c340b6;p=qt6-base.git [PATCH] Add clamping to QColorTransferGenericFunction This ensures that the inputs are within range for the use of these function. Depending on the values passed, they can trigger FE_INVALID errors and thus NaN as return values. This can happen for example when feeding an invalid ICC profile to QColorSpace::fromIccProfile. Credit to OSS-Fuzz Fixes: QTBUG-137159 Origin: upstream, https://download.qt.io/official_releases/qt/6.8/CVE-2025-5992-qtbase-6.8.patch Gbp-Pq: Name upstream_cve-2025-5992_input_range_qcolortransformation.diff --- diff --git a/src/gui/painting/qcolortransfergeneric_p.h b/src/gui/painting/qcolortransfergeneric_p.h index f9052509..69836517 100644 --- a/src/gui/painting/qcolortransfergeneric_p.h +++ b/src/gui/painting/qcolortransfergeneric_p.h @@ -66,6 +66,7 @@ private: // HLG from linear [0-12] -> [0-1] static float hlgFromLinear(float x) { + x = std::clamp(x, 0.f, 12.f); if (x > 1.f) return m_hlg_a * std::log(x - m_hlg_b) + m_hlg_c; return std::sqrt(x * 0.25f); @@ -74,6 +75,7 @@ private: // HLG to linear [0-1] -> [0-12] static float hlgToLinear(float x) { + x = std::clamp(x, 0.f, 1.f); if (x < 0.5f) return (x * x) * 4.f; return std::exp((x - m_hlg_c) / m_hlg_a) + m_hlg_b; @@ -87,6 +89,7 @@ private: // PQ to linear [0-1] -> [0-64] static float pqToLinear(float e) { + e = std::clamp(e, 0.f, 1.f); // m2-th root of E' const float eRoot = std::pow(e, 1.f / m_pq_m2); // rational transform @@ -100,6 +103,7 @@ private: // PQ from linear [0-64] -> [0-1] static float pqFromLinear(float fd) { + fd = std::clamp(fd, 0.f, 64.f); // scale Fd to Y const float y = fd * (1.f / m_pq_f); // yRoot = Y^m1 -- "root" because m1 is <1