From e6deda527721f94133d5715f5c34a170c043f3d1 Mon Sep 17 00:00:00 2001 From: Marc Mutz Date: Sat, 15 Oct 2016 22:23:03 +0200 Subject: QTgaFile: fix parsing of TGA16 rgb data The code tries to expand a 16-bit value of the form 0bABBBBBGGGGGRRRRR into a 32-bit QRgb, but got the operator precedence wrong: << has higher precedence than binary & This made the first operand of the |-chain (BBBBB) unconditionally zero. The second operand had the same precedence problem, but didn't decay into a tautological value like the first one did. Fix by adding another set of parentheses. The test coverage for this security-relevant piece of code is quite obviously insufficient, and should be increased, or else the format be dropped. [ChangeLog][TGA] Fixed reading of TGA-16 formats. Coverity-Id: 21782 Change-Id: I7019be8fe22e480c40192e0c1916b1d2bebf71cc Reviewed-by: Lars Knoll Reviewed-by: Giuseppe D'Angelo --- src/plugins/imageformats/tga/qtgafile.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/plugins/imageformats/tga/qtgafile.cpp b/src/plugins/imageformats/tga/qtgafile.cpp index a0fc26d..b248b3a 100644 --- a/src/plugins/imageformats/tga/qtgafile.cpp +++ b/src/plugins/imageformats/tga/qtgafile.cpp @@ -52,7 +52,7 @@ struct Tga16Reader : public TgaReader if (s->getChar(&ch1) && s->getChar(&ch2)) { quint16 d = (int(ch1) & 0xFF) | ((int(ch2) & 0xFF) << 8); QRgb result = (d & 0x8000) ? 0xFF000000 : 0x00000000; - result |= (d & 0x7C00 << 6) | (d & 0x03E0 << 3) | (d & 0x001F); + result |= ((d & 0x7C00) << 6) | ((d & 0x03E0) << 3) | (d & 0x001F); return result; } else { return 0; -- cgit v1.2.1