File 0001-Fix-buffer-overflow-in-XBM-parser.patch of Package libqt5-qtbase.18897
From 989186b99acf00bc5ef13114ff4c388c6f1d7a1b Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Thu, 23 Jul 2020 11:48:48 +0200
Subject: [PATCH 1/5] Fix buffer overflow in XBM parser
Avoid parsing over the buffer limit, or interpreting non-hex
as hex.
This still leaves parsing of lines longer than 300 chars
unreliable
Change-Id: I1c57a7e530c4380f6f9040b2ec729ccd7dc7a5fb
Reviewed-by: Robert Loehning <robert.loehning@qt.io>
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
(cherry picked from commit c562c1fc19629fb505acd0f6380604840b634211)
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
(cherry picked from commit 35ecd0b69d58bcc8113afc5e449aef841c73e26c)
---
src/gui/image/qxbmhandler.cpp | 4 +-
.../image/qimagereader/tst_qimagereader.cpp | 38 +++++++++++++++++++
2 files changed, 41 insertions(+), 1 deletion(-)
diff --git a/src/gui/image/qxbmhandler.cpp b/src/gui/image/qxbmhandler.cpp
index 44d07f1624..38bfa77c59 100644
--- a/src/gui/image/qxbmhandler.cpp
+++ b/src/gui/image/qxbmhandler.cpp
@@ -146,7 +146,9 @@ static bool read_xbm_body(QIODevice *device, int w, int h, QImage *outImage)
w = (w+7)/8; // byte width
while (y < h) { // for all encoded bytes...
- if (p) { // p = "0x.."
+ if (p && p < (buf + readBytes - 3)) { // p = "0x.."
+ if (!isxdigit(p[2]) || !isxdigit(p[3]))
+ return false;
*b++ = hex2byte(p+2);
p += 2;
if (++x == w && ++y < h) {
diff --git a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
index ff15dc5b6d..4991e18828 100644
--- a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
+++ b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
@@ -166,6 +166,8 @@ private slots:
void preserveTexts_data();
void preserveTexts();
+ void xpmBufferOverflow();
+ void xbmBufferHandling();
private:
QString prefix;
QTemporaryDir m_temporaryDir;
@@ -1895,5 +1897,41 @@ void tst_QImageReader::preserveTexts()
}
+void tst_QImageReader::xbmBufferHandling()
+{
+ uint8_t original_buffer[256];
+ for (int i = 0; i < 256; ++i)
+ original_buffer[i] = i;
+
+ QImage image(original_buffer, 256, 8, QImage::Format_MonoLSB);
+ image.setColorTable({0xff000000, 0xffffffff});
+
+ QByteArray buffer;
+ {
+ QBuffer buf(&buffer);
+ QImageWriter writer(&buf, "xbm");
+ writer.write(image);
+ }
+
+ QCOMPARE(QImage::fromData(buffer, "xbm"), image);
+
+ auto i = buffer.indexOf(',');
+ buffer.insert(i + 1, " ");
+ QCOMPARE(QImage::fromData(buffer, "xbm"), image);
+ buffer.insert(i + 1, " ");
+ QCOMPARE(QImage::fromData(buffer, "xbm"), image);
+ buffer.insert(i + 1, " ");
+#if 0 // Lines longer than 300 chars not supported currently
+ QCOMPARE(QImage::fromData(buffer, "xbm"), image);
+#endif
+
+ i = buffer.lastIndexOf("\n ");
+ buffer.truncate(i + 1);
+ buffer.append(QByteArray(297, ' '));
+ buffer.append("0x");
+ // Only check we get no buffer overflow
+ QImage::fromData(buffer, "xbm");
+}
+
QTEST_MAIN(tst_QImageReader)
#include "tst_qimagereader.moc"
--
2.25.1
