From 5b2f75388424995925a0e45654a0d509b290aaa0 Mon Sep 17 00:00:00 2001
From: Robert Loehning <robert.loehning@qt.io>
Date: Thu, 9 Jul 2020 13:33:34 +0200
Subject: [PATCH] Fix buffer overflow

Fixes: oss-fuzz-23988
Change-Id: I4efdbfc3c0a96917c0c8224642896088ade99f35
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
(cherry picked from commit e80be8a43da78b9544f12fbac47e92c7f1f64366)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/gui/image/qxpmhandler.cpp                               | 2 +-
 tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm | 1 +
 tests/auto/gui/image/qimagereader/tst_qimagereader.cpp      | 8 ++++++++
 3 files changed, 10 insertions(+), 1 deletion(-)
 create mode 100644 tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm

diff --git a/src/gui/image/qxpmhandler.cpp b/src/gui/image/qxpmhandler.cpp
index 17272ffe69b..417dab7ce3f 100644
--- a/src/gui/image/qxpmhandler.cpp
+++ b/src/gui/image/qxpmhandler.cpp
@@ -973,7 +973,7 @@ static bool read_xpm_body(
             } else {
                 char b[16];
                 b[cpp] = '\0';
-                for (x=0; x<w && d<end; x++) {
+                for (x=0; x<w && d+cpp<end; x++) {
                     memcpy(b, (char *)d, cpp);
                     *p++ = (uchar)colorMap[xpmHash(b)];
                     d += cpp;
diff --git a/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm b/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm
new file mode 100644
index 00000000000..7e6c1e4ca2e
--- /dev/null
+++ b/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm
@@ -0,0 +1 @@
+/* XPM "20 8 1 7""    ÿÿ c  ÿ"  "             ÿÿÿÿÿÿÿ                " 
\ No newline at end of file
diff --git a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
index 1eee2f273ef..0135e48c7df 100644
--- a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
+++ b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
@@ -167,6 +167,8 @@ private slots:
     void devicePixelRatio_data();
     void devicePixelRatio();
 
+    void xpmBufferOverflow();
+
 private:
     QString prefix;
     QTemporaryDir m_temporaryDir;
@@ -2002,5 +2004,11 @@ void tst_QImageReader::devicePixelRatio()
     QCOMPARE(img.devicePixelRatio(), dpr);
 }
 
+void tst_QImageReader::xpmBufferOverflow()
+{
+    // Please note that the overflow only showed when Qt was configured with "-sanitize address".
+    QImageReader(":/images/oss-fuzz-23988.xpm").read();
+}
+
 QTEST_MAIN(tst_QImageReader)
 #include "tst_qimagereader.moc"
-- 
2.16.3

From 35ecd0b69d58bcc8113afc5e449aef841c73e26c Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Thu, 23 Jul 2020 11:48:48 +0200
Subject: [PATCH] Fix buffer overflow in XBM parser

Avoid parsing over the buffer limit, or interpreting non-hex
as hex.

This still leaves parsing of lines longer than 300 chars
unreliable

Change-Id: I1c57a7e530c4380f6f9040b2ec729ccd7dc7a5fb
Reviewed-by: Robert Loehning <robert.loehning@qt.io>
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
(cherry picked from commit c562c1fc19629fb505acd0f6380604840b634211)
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 src/gui/image/qxbmhandler.cpp                      |  4 ++-
 .../gui/image/qimagereader/tst_qimagereader.cpp    | 37 ++++++++++++++++++++++
 2 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/src/gui/image/qxbmhandler.cpp b/src/gui/image/qxbmhandler.cpp
index 7ba44049b48..8c4be4f0eda 100644
--- a/src/gui/image/qxbmhandler.cpp
+++ b/src/gui/image/qxbmhandler.cpp
@@ -158,7 +158,9 @@ static bool read_xbm_body(QIODevice *device, int w, int h, QImage *outImage)
     w = (w+7)/8;                                // byte width
 
     while (y < h) {                                // for all encoded bytes...
-        if (p) {                                // p = "0x.."
+        if (p && p < (buf + readBytes - 3)) {      // p = "0x.."
+            if (!isxdigit(p[2]) || !isxdigit(p[3]))
+                return false;
             *b++ = hex2byte(p+2);
             p += 2;
             if (++x == w && ++y < h) {
diff --git a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
index 0135e48c7df..61b11a77794 100644
--- a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
+++ b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
@@ -168,6 +168,7 @@ private slots:
     void devicePixelRatio();
 
     void xpmBufferOverflow();
+    void xbmBufferHandling();
 
 private:
     QString prefix;
@@ -2010,5 +2011,41 @@ void tst_QImageReader::xpmBufferOverflow()
     QImageReader(":/images/oss-fuzz-23988.xpm").read();
 }
 
+void tst_QImageReader::xbmBufferHandling()
+{
+    uint8_t original_buffer[256];
+    for (int i = 0; i < 256; ++i)
+        original_buffer[i] = i;
+
+    QImage image(original_buffer, 256, 8, QImage::Format_MonoLSB);
+    image.setColorTable({0xff000000, 0xffffffff});
+
+    QByteArray buffer;
+    {
+        QBuffer buf(&buffer);
+        QImageWriter writer(&buf, "xbm");
+        writer.write(image);
+    }
+
+    QCOMPARE(QImage::fromData(buffer, "xbm"), image);
+
+    auto i = buffer.indexOf(',');
+    buffer.insert(i + 1, "                                                                                ");
+    QCOMPARE(QImage::fromData(buffer, "xbm"), image);
+    buffer.insert(i + 1, "                                                                                ");
+    QCOMPARE(QImage::fromData(buffer, "xbm"), image);
+    buffer.insert(i + 1, "                                                                              ");
+#if 0   // Lines longer than 300 chars not supported currently
+    QCOMPARE(QImage::fromData(buffer, "xbm"), image);
+#endif
+
+    i = buffer.lastIndexOf("\n ");
+    buffer.truncate(i + 1);
+    buffer.append(QByteArray(297, ' '));
+    buffer.append("0x");
+    // Only check we get no buffer overflow
+    QImage::fromData(buffer, "xbm");
+}
+
 QTEST_MAIN(tst_QImageReader)
 #include "tst_qimagereader.moc"
-- 
2.16.3