From beb376460b9f69bfa87bd0ae4fa95cf7b8054257 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20L=C3=B6hning?= <robert.loehning@qt.io>
Date: Thu, 5 Jan 2023 23:45:43 +0100
Subject: TGA Plugin: Fix reading of CMapDepth
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

It's specified to be one byte but the old code used to read an int of
two bytes. Maybe this wasn't noticed because the following byte often
has a value of zero.

This fixes oss-fuzz issue 50741 which is an integer
overflow resulting from the too large value.

[ChangeLog] Fixed reading of TGA files with a non-zero X-origin

Change-Id: I989bffd0e4e03caf6737e1ce085247ed54e40db0
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
Reviewed-by: Robert Löhning <robert.loehning@qt.io>
(cherry picked from commit feb7864054886bfb8a99d0f8e3a06ae120f97e62)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/plugins/imageformats/tga/qtgafile.cpp | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/plugins/imageformats/tga/qtgafile.cpp b/src/plugins/imageformats/tga/qtgafile.cpp
index a1c0e05..f1b9af3 100644
--- a/src/plugins/imageformats/tga/qtgafile.cpp
+++ b/src/plugins/imageformats/tga/qtgafile.cpp
@@ -185,9 +185,18 @@ QImage QTgaFile::readImage()
 
     int offset = mHeader[IdLength];  // Mostly always zero
 
-    // Even in TrueColor files a color pallette may be present
-    if (mHeader[ColorMapType] == 1)
-        offset += littleEndianInt(&mHeader[CMapLength]) * littleEndianInt(&mHeader[CMapDepth]);
+    // Even in TrueColor files a color palette may be present so we have to check it here
+    // even we only support image type 2 (= uncompressed true-color image)
+    if (mHeader[ColorMapType] == 1) {
+        int cmapDepth = mHeader[CMapDepth];
+        if (cmapDepth == 15)    // 15 bit is stored as 16 bit + ignoring the highest bit (no alpha)
+            cmapDepth = 16;
+        if (cmapDepth != 16 && cmapDepth != 24 && cmapDepth != 32) {
+            mErrorMessage = tr("Invalid color map depth (%1)").arg(cmapDepth);
+            return {};
+        }
+        offset += littleEndianInt(&mHeader[CMapLength]) * cmapDepth / 8;
+    }
 
     mDevice->seek(HeaderSize + offset);
 
-- 
cgit v1.2.1