From aa1293f043f5df34ee7501efda6a6a2e8da5fa99 Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Fri, 25 Oct 2024 11:34:08 +0200
Subject: [PATCH] Avoid assert or crash on plateauing transfer table

If the same value repeats many times the values y1 and y2
can end up being the same cauing an assert or division by 0.

Fixes oss-fuzz 42535976. Credit to OSS-Fuzz for finding the case.

Pick-to: 6.8
Change-Id: I30afd5cd61163c51949a8c13d4034f4bc11d27a7
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
---
 src/gui/painting/qcolortransfertable_p.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/gui/painting/qcolortransfertable_p.h b/src/gui/painting/qcolortransfertable_p.h
index ce6ad0c4b25..adaa3698503 100644
--- a/src/gui/painting/qcolortransfertable_p.h
+++ b/src/gui/painting/qcolortransfertable_p.h
@@ -111,7 +111,7 @@ class Q_GUI_EXPORT QColorTransferTable
         return x;
     }
 
-    // Apply inverse, optimized by giving a previous result a value < x.
+    // Apply inverse, optimized by giving a previous result for a value < x.
     float applyInverse(float x, float resultLargerThan = 0.0f) const
     {
         Q_ASSERT(resultLargerThan >= 0.0f && resultLargerThan <= 1.0f);
@@ -191,7 +191,7 @@ class Q_GUI_EXPORT QColorTransferTable
     template<typename T>
     static float inverseLookup(float needle, float resultLargerThan, const QList<T> &table, quint32 tableMax)
     {
-        uint32_t i = static_cast<uint32_t>(resultLargerThan * tableMax);
+        uint32_t i = qMax(static_cast<uint32_t>(resultLargerThan * tableMax), 1U) - 1;
         auto it = std::lower_bound(table.cbegin() + i, table.cend(), needle);
         i = it - table.cbegin();
         if (i == 0)