DoS vulnerability in the BMP image handler (CVE-2015-0295)
This commit is contained in:
Rex Dieter
parent
c6c5987440
commit
aeb79bb543
|
|
@ -0,0 +1,42 @@
|
|||
From e50aa2252cdd5cb53eef7d8c4503c7edff634f68 Mon Sep 17 00:00:00 2001
|
||||
From: "Richard J. Moore" <rich@kde.org>
|
||||
Date: Tue, 24 Feb 2015 19:02:35 +0000
|
||||
Subject: [PATCH 137/138] Fix a division by zero when processing malformed BMP
|
||||
files.
|
||||
|
||||
This fixes a division by 0 when processing a maliciously crafted BMP
|
||||
file. No impact beyond DoS.
|
||||
|
||||
Backport of 661f6bfd032dacc62841037732816a583640e187
|
||||
|
||||
Task-number: QTBUG-44547
|
||||
Change-Id: I43f06e752b11cb50669101460902a82b885ae618
|
||||
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
|
||||
---
|
||||
src/gui/image/qbmphandler.cpp | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
|
||||
index b22e842..30fa9e0 100644
|
||||
--- a/src/gui/image/qbmphandler.cpp
|
||||
+++ b/src/gui/image/qbmphandler.cpp
|
||||
@@ -319,10 +319,16 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
|
||||
}
|
||||
} else if (comp == BMP_BITFIELDS && (nbits == 16 || nbits == 32)) {
|
||||
red_shift = calc_shift(red_mask);
|
||||
+ if (((red_mask >> red_shift) + 1) == 0)
|
||||
+ return false;
|
||||
red_scale = 256 / ((red_mask >> red_shift) + 1);
|
||||
green_shift = calc_shift(green_mask);
|
||||
+ if (((green_mask >> green_shift) + 1) == 0)
|
||||
+ return false;
|
||||
green_scale = 256 / ((green_mask >> green_shift) + 1);
|
||||
blue_shift = calc_shift(blue_mask);
|
||||
+ if (((blue_mask >> blue_shift) + 1) == 0)
|
||||
+ return false;
|
||||
blue_scale = 256 / ((blue_mask >> blue_shift) + 1);
|
||||
} else if (comp == BMP_RGB && (nbits == 24 || nbits == 32)) {
|
||||
blue_mask = 0x000000ff;
|
||||
--
|
||||
1.9.3
|
||||
|
||||
9
qt.spec
9
qt.spec
|
|
@ -35,7 +35,7 @@ Summary: Qt toolkit
|
|||
Name: qt
|
||||
Epoch: 1
|
||||
Version: 4.8.6
|
||||
Release: 24%{?dist}
|
||||
Release: 25%{?dist}
|
||||
|
||||
# See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
|
||||
License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
|
||||
|
|
@ -196,6 +196,9 @@ Patch267: 0067-Fix-AArch64-arm64-detection.patch
|
|||
Patch272: 0072-Fix-font-cache-check-in-QFontEngineFT-recalcAdvances.patch
|
||||
|
||||
## security patches
|
||||
# CVE-2015-0295
|
||||
# http://lists.qt-project.org/pipermail/announce/2015-February/000059.html
|
||||
Patch337: 0137-Fix-a-division-by-zero-when-processing-malformed-BMP.patch
|
||||
|
||||
# desktop files
|
||||
Source20: assistant.desktop
|
||||
|
|
@ -593,6 +596,7 @@ rm -rf src/3rdparty/clucene
|
|||
%patch266 -p1 -b .0066
|
||||
%patch267 -p1 -b .0067
|
||||
%patch272 -p1 -b .0072
|
||||
%patch337 -p1 -b .0137
|
||||
|
||||
# security fixes
|
||||
# regression fixes for the security fixes
|
||||
|
|
@ -1313,6 +1317,9 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Fri Feb 27 2015 Rex Dieter <rdieter@fedoraproject.org> 1:4.8.6-25
|
||||
- DoS vulnerability in the BMP image handler (CVE-2015-0295)
|
||||
|
||||
* Mon Feb 16 2015 Rex Dieter <rdieter@fedoraproject.org> 1:4.8.6-24
|
||||
- more gcc5 detection fixes, in particular, ensure same QT_BUILD_KEY as gcc4 for now
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue