Commit 6ebef2eb authored by Allan Sandfeld Jensen's avatar Allan Sandfeld Jensen

Fix 32bit integer overflow in ICC parsing

Change-Id: I98c413374374a6143733860aa9bab1a957cd3b2d
Reviewed-by: default avatarThiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Marc Mutz's avatarMarc Mutz <marc.mutz@kdab.com>
parent 821e71fd
......@@ -225,7 +225,7 @@ static bool isValidIccProfile(const ICCProfileHeader &header)
}
// Don't overflow 32bit integers:
if (header.tagCount >= INT32_MAX / sizeof(TagTableEntry)) {
if (header.tagCount >= (INT32_MAX - sizeof(ICCProfileHeader)) / sizeof(TagTableEntry)) {
qCWarning(lcIcc, "Failed tag count sanity");
return false;
}
......@@ -629,6 +629,7 @@ bool fromIccProfile(const QByteArray &data, QColorSpace *colorSpace)
// Read tag index
const TagTableEntry *tagTable = (const TagTableEntry *)(data.constData() + sizeof(ICCProfileHeader));
const qsizetype offsetToData = sizeof(ICCProfileHeader) + header->tagCount * sizeof(TagTableEntry);
Q_ASSERT(offsetToData > 0);
if (offsetToData > data.size()) {
qCWarning(lcIcc) << "fromIccProfile: failed index size sanity";
return false;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment