Fix 32bit integer overflow in ICC parsing

Change-Id: I98c413374374a6143733860aa9bab1a957cd3b2d Reviewed-by: Thiago Macieira <[email protected]> Reviewed-by: Marc Mutz <[email protected]>
fwcd · May 4, 2020 · 6ebef2e · 6ebef2e
1 parent 821e71f
commit 6ebef2e
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/src/gui/painting/qicc.cpp b/src/gui/painting/qicc.cpp
@@ -225,7 +225,7 @@ static bool isValidIccProfile(const ICCProfileHeader &header)
     }
 
     // Don't overflow 32bit integers:
-    if (header.tagCount >= INT32_MAX / sizeof(TagTableEntry)) {
+    if (header.tagCount >= (INT32_MAX - sizeof(ICCProfileHeader)) / sizeof(TagTableEntry)) {
         qCWarning(lcIcc, "Failed tag count sanity");
         return false;
     }
@@ -629,6 +629,7 @@ bool fromIccProfile(const QByteArray &data, QColorSpace *colorSpace)
     // Read tag index
     const TagTableEntry *tagTable = (const TagTableEntry *)(data.constData() + sizeof(ICCProfileHeader));
     const qsizetype offsetToData = sizeof(ICCProfileHeader) + header->tagCount * sizeof(TagTableEntry);
+    Q_ASSERT(offsetToData > 0);
     if (offsetToData > data.size()) {
         qCWarning(lcIcc) << "fromIccProfile: failed index size sanity";
         return false;