Fixed some potential index-out-of-bounds issues in QImage.

Added color table bounds checks when converting a color indexed
image to a different pixel format. Fixed an off-by-one error in
the color table bounds check in QImage::setPixel(). Fixed an
autotest that was setting pixel values out of bounds.

Reviewed-by: Gunnar

1 files changed, 22 insertions, 4 deletions

diff --git a/src/gui/image/qimage.cpp b/src/gui/image/qimage.cpp
index bb8a994..79f266d 100644
--- a/src/gui/image/qimage.cpp
+++ b/src/gui/image/qimage.cpp
@@ -2338,6 +2338,12 @@ static bool convert_indexed8_to_ARGB_PM_inplace(QImageData *data, Qt::ImageConve
     const int width = data->width;
     const int src_pad = data->bytes_per_line - width;
     const int dest_pad = (dst_bytes_per_line >> 2) - width;
+    if (data->colortable.size() == 0) {
+        data->colortable.resize(256);
+        for (int i = 0; i < 256; ++i)
+            data->colortable[i] = qRgb(i, i, i);
+    }
+    const int tableSize = data->colortable.size() - 1;
 
     for (int i = 0; i < data->height; ++i) {
         src_data -= src_pad;
@@ -2345,7 +2351,7 @@ static bool convert_indexed8_to_ARGB_PM_inplace(QImageData *data, Qt::ImageConve
         for (int pixI = 0; pixI < width; ++pixI) {
             --src_data;
             --dest_data;
-            const uint pixel = data->colortable[*src_data];
+            const uint pixel = data->colortable[qMin<int>(tableSize, *src_data)];
             *dest_data = (quint32) PREMUL(pixel);
         }
     }
@@ -2377,6 +2383,12 @@ static bool convert_indexed8_to_RGB_inplace(QImageData *data, Qt::ImageConversio
     const int width = data->width;
     const int src_pad = data->bytes_per_line - width;
     const int dest_pad = (dst_bytes_per_line >> 2) - width;
+    if (data->colortable.size() == 0) {
+        data->colortable.resize(256);
+        for (int i = 0; i < 256; ++i)
+            data->colortable[i] = qRgb(i, i, i);
+    }
+    const int tableSize = data->colortable.size() - 1;
 
     for (int i = 0; i < data->height; ++i) {
         src_data -= src_pad;
@@ -2384,7 +2396,7 @@ static bool convert_indexed8_to_RGB_inplace(QImageData *data, Qt::ImageConversio
         for (int pixI = 0; pixI < width; ++pixI) {
             --src_data;
             --dest_data;
-            *dest_data = (quint32) data->colortable[*src_data];
+            *dest_data = (quint32) data->colortable[qMin<int>(tableSize, *src_data)];
         }
     }
 
@@ -2415,6 +2427,12 @@ static bool convert_indexed8_to_RGB16_inplace(QImageData *data, Qt::ImageConvers
     const int width = data->width;
     const int src_pad = data->bytes_per_line - width;
     const int dest_pad = (dst_bytes_per_line >> 1) - width;
+    if (data->colortable.size() == 0) {
+        data->colortable.resize(256);
+        for (int i = 0; i < 256; ++i)
+            data->colortable[i] = qRgb(i, i, i);
+    }
+    const int tableSize = data->colortable.size() - 1;
 
     for (int i = 0; i < data->height; ++i) {
         src_data -= src_pad;
@@ -2422,7 +2440,7 @@ static bool convert_indexed8_to_RGB16_inplace(QImageData *data, Qt::ImageConvers
         for (int pixI = 0; pixI < width; ++pixI) {
             --src_data;
             --dest_data;
-            const uint pixel = data->colortable[*src_data];
+            const uint pixel = data->colortable[qMin<int>(tableSize, *src_data)];
             *dest_data = qt_colorConvert<quint16, quint32>(pixel, 0);
         }
     }
@@ -4061,7 +4079,7 @@ void QImage::setPixel(int x, int y, uint index_or_rgb)
         }
         break;
     case Format_Indexed8:
-        if (index_or_rgb > (uint)d->colortable.size()) {
+        if (index_or_rgb >= (uint)d->colortable.size()) {
             qWarning("QImage::setPixel: Index %d out of range", index_or_rgb);
             return;
         }