CVE-2025-5683: qt6-qtimageformats-6.8.3

Sun, 03 Aug 2025 00:57:27 -0700 

Simple diff to fix CVE-2025-5683 in qt6-qtimageformats-6.8.3.
Tested on amd64. OK?

Cheers Rafael

Index: Makefile
===================================================================
RCS file: /cvs/ports/x11/qt6/qtimageformats/Makefile,v
diff -u -p -u -p -r1.3 Makefile
--- Makefile    26 Mar 2024 07:01:39 -0000      1.3
+++ Makefile    3 Aug 2025 07:56:18 -0000
@@ -1,6 +1,7 @@
 QT6NAME =      QtImageFormats
 COMMENT =      Qt6 additional image formats
 PKGSPEC =      qt6-qtimageformats-${QT6_PKGSPEC}
+REVISION =     0
 
 WANTLIB += ${COMPILER_LIBCXX} GL Qt6Core Qt6Gui c jasper jpeg
 WANTLIB += m mng tiff webp webpdemux webpmux
Index: patches/patch-src_plugins_imageformats_icns_qicnshandler_cpp
===================================================================
RCS file: patches/patch-src_plugins_imageformats_icns_qicnshandler_cpp
diff -N patches/patch-src_plugins_imageformats_icns_qicnshandler_cpp
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_plugins_imageformats_icns_qicnshandler_cpp        3 Aug 
2025 07:56:18 -0000
@@ -0,0 +1,28 @@
+https://download.qt.io/official_releases/qt/6.8/CVE-2025-5683-qtimageformats-6.8.patch
+
+Index: src/plugins/imageformats/icns/qicnshandler.cpp
+--- src/plugins/imageformats/icns/qicnshandler.cpp.orig
++++ src/plugins/imageformats/icns/qicnshandler.cpp
+@@ -323,8 +323,11 @@ static inline bool isPowOf2OrDividesBy16(quint32 u, qr
+ 
+ static inline bool isBlockHeaderValid(const ICNSBlockHeader &header, quint64 
bound = 0)
+ {
+-    return header.ostype != 0 && (bound == 0
+-                || qBound(quint64(ICNSBlockHeaderSize), 
quint64(header.length), bound) == header.length);
++    return header.ostype != 0 &&
++        (bound == 0 ||
++            // qBound can be used but requires checking the limits first
++            // this requires less operations
++            (ICNSBlockHeaderSize <= header.length && header.length <= bound));
+ }
+ 
+ static inline bool isIconCompressed(const ICNSEntry &icon)
+@@ -869,7 +872,7 @@ bool QICNSHandler::scanDevice()
+             return false;
+ 
+         const qint64 blockDataOffset = device()->pos();
+-        if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize + filelength 
- blockDataOffset)) {
++        if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize - 
blockDataOffset + filelength)) {
+             qWarning("QICNSHandler::scanDevice(): Failed, bad header at pos 
%s. OSType \"%s\", length %u",
+                      QByteArray::number(blockDataOffset).constData(),
+                      nameFromOSType(blockHeader.ostype).constData(), 
blockHeader.length);

Reply via email to