From d75cc5b73b65b1bc3f613dd22479c7a617c6e7d5 Mon Sep 17 00:00:00 2001
From: Eirik Aavitsland <eirik.aavitsland@qt.io>
Date: Thu, 2 Aug 2018 13:11:20 +0200
Subject: [PATCH] [PATCH] Fix crash in qppmhandler for certain malformed image
 files

The ppm format specifies that the maximum color value field must be
less than 65536. The handler did not enforce this, leading to
potentional overflow when the value was used in 16 bits context.

Task-number: QTBUG-69449
Change-Id: Iea7a7e0f8953ec1ea8571e215687d12a9d77e11c
Reviewed-by: Lars Knoll <lars.knoll@qt.io>

Gbp-Pq: Name CVE-2018-19872.patch
---
 src/gui/image/qppmhandler.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/gui/image/qppmhandler.cpp b/src/gui/image/qppmhandler.cpp
index 9cacfab2e..6ab58b251 100644
--- a/src/gui/image/qppmhandler.cpp
+++ b/src/gui/image/qppmhandler.cpp
@@ -108,7 +108,7 @@ static bool read_pbm_header(QIODevice *device, char& type, int& w, int& h, int&
     else
         mcc = read_pbm_int(device);               // get max color component
 
-    if (w <= 0 || w > 32767 || h <= 0 || h > 32767 || mcc <= 0)
+    if (w <= 0 || w > 32767 || h <= 0 || h > 32767 || mcc <= 0 || mcc > 0xffff)
         return false;                                        // weird P.M image
 
     return true;
-- 
2.30.2