Crash on malformed quoted printable strings in decode()

[ghost]

Test case:

void testQuotedPrintable()
{
    QString malformed = QString::fromLatin1("=40=");
    QuotedPrintable::decode(malformed);
}

Since this code:

        if (input.at(i).toAscii() == '=')
        {
            output->append((hexVal[input.at(++i).toAscii() - '0'] << 4) + hexVal[input.at(++i).toAscii() - '0']);
        }

never checks the length of the input string, input.at(++i) may access the data outside of the string, sometimes resulting in a crash.

********* Start testing of Test *********
Config: Using QTest library 4.8.3, Qt 4.8.3
PASS   : Test::initTestCase()
QFATAL : Test::testQuotedPrintable() ASSERT: "uint(i) < uint(size())" in file /usr/include/qt4/QtCore/qstring.h, line 699
FAIL!  : Test::testQuotedPrintable() Received a fatal error.
   Loc: [Unknown file(0)]
Totals: 1 passed, 1 failed, 0 skipped
********* Finished testing of Test *********

[ghost]

Another issue is that when the function tries to decode a malformed string (like '=\xFF\xFF'), it goes out of hexVal array bounds.

While this possibly won't crash the application (unless the stack is almost exhausted), combined with another attack this may allow the attacker to read the data from the stack.