rpms/qt
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

bz#1210677, CVE-2015-1860 CVE-2015-1859 CVE-2015-1858

Browse Source
This commit is contained in:
Than Ngo 2015-04-13 16:21:57 +02:00
parent 74e790ecfb
commit 63cda2bb9f
2 changed files with 61 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
qt-4.8.6-CVE-2015-1860_CVE-2015-1859_CVE-2015-1858.patch Normal file
View File

@ -0,0 +1,54 @@
diff -up qt-everywhere-opensource-src-4.8.6/src/gui/image/qbmphandler.cpp.than qt-everywhere-opensource-src-4.8.6/src/gui/image/qbmphandler.cpp
--- qt-everywhere-opensource-src-4.8.6/src/gui/image/qbmphandler.cpp.than 2015-04-13 16:03:24.347475762 +0200
+++ qt-everywhere-opensource-src-4.8.6/src/gui/image/qbmphandler.cpp 2015-04-13 16:04:42.781923479 +0200
@@ -478,12 +478,6 @@ static bool read_dib_body(QDataStream &s
p = data + (h-y-1)*bpl;
break;
case 2: // delta (jump)
- // Protection
- if ((uint)x >= (uint)w)
- x = w-1;
- if ((uint)y >= (uint)h)
- y = h-1;
-
{
quint8 tmp;
d->getChar((char *)&tmp);
@@ -491,6 +485,13 @@ static bool read_dib_body(QDataStream &s
d->getChar((char *)&tmp);
y += tmp;
}
+
+ // Protection
+ if ((uint)x >= (uint)w)
+ x = w-1;
+ if ((uint)y >= (uint)h)
+ y = h-1;
+
p = data + (h-y-1)*bpl + x;
break;
default: // absolute mode
diff -up qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp.than qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp
--- qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp.than 2015-04-13 16:10:38.284420268 +0200
+++ qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp 2015-04-13 16:11:17.406144797 +0200
@@ -944,6 +944,8 @@ void QGIFFormat::fillRect(QImage *image,
void QGIFFormat::nextY(unsigned char *bits, int bpl)
{
+ if (out_of_bounds)
+ return;
int my;
switch (interlace) {
case 0: // Non-interlaced
diff -up qt-everywhere-opensource-src-4.8.6/src/plugins/imageformats/ico/qicohandler.cpp.than qt-everywhere-opensource-src-4.8.6/src/plugins/imageformats/ico/qicohandler.cpp
--- qt-everywhere-opensource-src-4.8.6/src/plugins/imageformats/ico/qicohandler.cpp.than 2015-04-13 16:05:02.059787728 +0200
+++ qt-everywhere-opensource-src-4.8.6/src/plugins/imageformats/ico/qicohandler.cpp 2015-04-13 16:05:41.141512553 +0200
@@ -571,7 +571,7 @@ QImage ICOReader::iconAt(int index)
QImage::Format format = QImage::Format_ARGB32;
if (icoAttrib.nbits == 24)
format = QImage::Format_RGB32;
- else if (icoAttrib.ncolors == 2)
+ else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1)
format = QImage::Format_Mono;
else if (icoAttrib.ncolors > 0)
format = QImage::Format_Indexed8;

8
qt.spec
View File

@ -35,7 +35,7 @@ Summary: Qt toolkit
Name: qt
Epoch: 1
Version: 4.8.6
Release: 27%{?dist}
Release: 28%{?dist}
# See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
@ -199,6 +199,8 @@ Patch272: 0072-Fix-font-cache-check-in-QFontEngineFT-recalcAdvances.patch
# CVE-2015-0295
# http://lists.qt-project.org/pipermail/announce/2015-February/000059.html
Patch337: 0137-Fix-a-division-by-zero-when-processing-malformed-BMP.patch
# CVE-2015-1860 CVE-2015-1859 CVE-2015-1858
Patch338: qt-4.8.6-CVE-2015-1860_CVE-2015-1859_CVE-2015-1858.patch
# desktop files
Source20: assistant.desktop
@ -597,6 +599,7 @@ rm -rf src/3rdparty/clucene
%patch267 -p1 -b .0067
%patch272 -p1 -b .0072
%patch337 -p1 -b .0137
%patch338 -p1 -b .CVE-2015-1860_CVE-2015-1859_CVE-2015-1858
# security fixes
# regression fixes for the security fixes
@ -1332,6 +1335,9 @@ fi
%changelog
* Mon Apr 13 2015 Than Ngo <than@redhat.com> - 1:4.8.6-28
- bz#1210677, CVE-2015-1860 CVE-2015-1859 CVE-2015-1858
* Thu Mar 26 2015 Richard Hughes <rhughes@redhat.com> - 1:4.8.6-27
- Add an AppData file for the software center