[gentoo-commits] gentoo-x86 commit in dev-qt/qtgui/files: qtgui-4.8.6-CVE-2015-1858.patch qtgui-4.8.6-CVE-2015-1860.patch

[Ben de Groot (yngwin)]

yngwin      15/05/07 08:31:30

  Added:                qtgui-4.8.6-CVE-2015-1858.patch
                        qtgui-4.8.6-CVE-2015-1860.patch
  Log:
  Apply upstream patches for bug #546174. Fixes CVE-2015-1858, CVE-2015-1859, 
CVE-2015-1860.
  
  (Portage version: 2.2.18/cvs/Linux x86_64, signed Manifest commit with key 
0x4FDF9CFD2FAC514E!)

Revision  Changes    Path
1.1                  dev-qt/qtgui/files/qtgui-4.8.6-CVE-2015-1858.patch

file : 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-qt/qtgui/files/qtgui-4.8.6-CVE-2015-1858.patch?rev=1.1&view=markup
plain: 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-qt/qtgui/files/qtgui-4.8.6-CVE-2015-1858.patch?rev=1.1&content-type=text/plain

Index: qtgui-4.8.6-CVE-2015-1858.patch
===================================================================
>From 3e55cd6dc467303a3c35312e9fcb255c2c048b32 Mon Sep 17 00:00:00 2001
From: Eirik Aavitsland <eirik.aavitsl...@theqtcompany.com>
Date: Wed, 11 Mar 2015 13:34:01 +0100
Subject: Fixes crash in bmp and ico image decoding

Fuzzing test revealed that for certain malformed bmp and ico files,
the handler would segfault.

Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe
(cherry picked from qtbase/2adbbae5432aa9d8cc41c6fcf55c2e310d2d4078)
Reviewed-by: Richard J. Moore <r...@kde.org>
---
 src/gui/image/qbmphandler.cpp                | 13 +++++++------
 src/plugins/imageformats/ico/qicohandler.cpp |  2 +-
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
index 30fa9e0..17a880b 100644
--- a/src/gui/image/qbmphandler.cpp
+++ b/src/gui/image/qbmphandler.cpp
@@ -478,12 +478,6 @@ static bool read_dib_body(QDataStream &s, const 
BMP_INFOHDR &bi, int offset, int
                             p = data + (h-y-1)*bpl;
                             break;
                         case 2:                        // delta (jump)
-                            // Protection
-                            if ((uint)x >= (uint)w)
-                                x = w-1;
-                            if ((uint)y >= (uint)h)
-                                y = h-1;
-
                             {
                                 quint8 tmp;
                                 d->getChar((char *)&tmp);
@@ -491,6 +485,13 @@ static bool read_dib_body(QDataStream &s, const 
BMP_INFOHDR &bi, int offset, int
                                 d->getChar((char *)&tmp);
                                 y += tmp;
                             }
+
+                            // Protection
+                            if ((uint)x >= (uint)w)
+                                x = w-1;
+                            if ((uint)y >= (uint)h)
+                                y = h-1;
+
                             p = data + (h-y-1)*bpl + x;
                             break;
                         default:                // absolute mode
diff --git a/src/plugins/imageformats/ico/qicohandler.cpp 
b/src/plugins/imageformats/ico/qicohandler.cpp
index 1a88605..3c34765 100644
--- a/src/plugins/imageformats/ico/qicohandler.cpp
+++ b/src/plugins/imageformats/ico/qicohandler.cpp
@@ -571,7 +571,7 @@ QImage ICOReader::iconAt(int index)
                 QImage::Format format = QImage::Format_ARGB32;
                 if (icoAttrib.nbits == 24)
                     format = QImage::Format_RGB32;
-                else if (icoAttrib.ncolors == 2)
+                else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1)
                     format = QImage::Format_Mono;
                 else if (icoAttrib.ncolors > 0)
                     format = QImage::Format_Indexed8;
-- 
cgit v0.11.0




1.1                  dev-qt/qtgui/files/qtgui-4.8.6-CVE-2015-1860.patch

file : 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-qt/qtgui/files/qtgui-4.8.6-CVE-2015-1860.patch?rev=1.1&view=markup
plain: 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-qt/qtgui/files/qtgui-4.8.6-CVE-2015-1860.patch?rev=1.1&content-type=text/plain

Index: qtgui-4.8.6-CVE-2015-1860.patch
===================================================================
>From a1cf194c54be57d6ab55dfd26b9562a60532208e Mon Sep 17 00:00:00 2001
From: Eirik Aavitsland <eirik.aavitsl...@theqtcompany.com>
Date: Wed, 11 Mar 2015 09:00:41 +0100
Subject: Fixes crash in gif image decoder

Fuzzing test revealed that for certain malformed gif files,
qgifhandler would segfault.

Change-Id: I5bb6f60e1c61849e0d8c735edc3869945e5331c1
(cherry picked from qtbase/ea2c5417fcd374302f5019e67f72af5facbd29f6)
Reviewed-by: Richard J. Moore <r...@kde.org>
---
 src/gui/image/qgifhandler.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/gui/image/qgifhandler.cpp b/src/gui/image/qgifhandler.cpp
index 5199dd3..49aa2a6 100644
--- a/src/gui/image/qgifhandler.cpp
+++ b/src/gui/image/qgifhandler.cpp
@@ -944,6 +944,8 @@ void QGIFFormat::fillRect(QImage *image, int col, int row, 
int w, int h, QRgb co
 
 void QGIFFormat::nextY(unsigned char *bits, int bpl)
 {
+    if (out_of_bounds)
+        return;
     int my;
     switch (interlace) {
     case 0: // Non-interlaced
-- 
cgit v0.11.0