DoS vulnerability in the BMP image handler (CVE-2015-0295)
This commit is contained in:
parent
c6c5987440
commit
aeb79bb543
@ -0,0 +1,42 @@
|
|||||||
|
From e50aa2252cdd5cb53eef7d8c4503c7edff634f68 Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Richard J. Moore" <rich@kde.org>
|
||||||
|
Date: Tue, 24 Feb 2015 19:02:35 +0000
|
||||||
|
Subject: [PATCH 137/138] Fix a division by zero when processing malformed BMP
|
||||||
|
files.
|
||||||
|
|
||||||
|
This fixes a division by 0 when processing a maliciously crafted BMP
|
||||||
|
file. No impact beyond DoS.
|
||||||
|
|
||||||
|
Backport of 661f6bfd032dacc62841037732816a583640e187
|
||||||
|
|
||||||
|
Task-number: QTBUG-44547
|
||||||
|
Change-Id: I43f06e752b11cb50669101460902a82b885ae618
|
||||||
|
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
|
||||||
|
---
|
||||||
|
src/gui/image/qbmphandler.cpp | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
|
||||||
|
index b22e842..30fa9e0 100644
|
||||||
|
--- a/src/gui/image/qbmphandler.cpp
|
||||||
|
+++ b/src/gui/image/qbmphandler.cpp
|
||||||
|
@@ -319,10 +319,16 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
|
||||||
|
}
|
||||||
|
} else if (comp == BMP_BITFIELDS && (nbits == 16 || nbits == 32)) {
|
||||||
|
red_shift = calc_shift(red_mask);
|
||||||
|
+ if (((red_mask >> red_shift) + 1) == 0)
|
||||||
|
+ return false;
|
||||||
|
red_scale = 256 / ((red_mask >> red_shift) + 1);
|
||||||
|
green_shift = calc_shift(green_mask);
|
||||||
|
+ if (((green_mask >> green_shift) + 1) == 0)
|
||||||
|
+ return false;
|
||||||
|
green_scale = 256 / ((green_mask >> green_shift) + 1);
|
||||||
|
blue_shift = calc_shift(blue_mask);
|
||||||
|
+ if (((blue_mask >> blue_shift) + 1) == 0)
|
||||||
|
+ return false;
|
||||||
|
blue_scale = 256 / ((blue_mask >> blue_shift) + 1);
|
||||||
|
} else if (comp == BMP_RGB && (nbits == 24 || nbits == 32)) {
|
||||||
|
blue_mask = 0x000000ff;
|
||||||
|
--
|
||||||
|
1.9.3
|
||||||
|
|
9
qt.spec
9
qt.spec
@ -35,7 +35,7 @@ Summary: Qt toolkit
|
|||||||
Name: qt
|
Name: qt
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Version: 4.8.6
|
Version: 4.8.6
|
||||||
Release: 24%{?dist}
|
Release: 25%{?dist}
|
||||||
|
|
||||||
# See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
|
# See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
|
||||||
License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
|
License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
|
||||||
@ -196,6 +196,9 @@ Patch267: 0067-Fix-AArch64-arm64-detection.patch
|
|||||||
Patch272: 0072-Fix-font-cache-check-in-QFontEngineFT-recalcAdvances.patch
|
Patch272: 0072-Fix-font-cache-check-in-QFontEngineFT-recalcAdvances.patch
|
||||||
|
|
||||||
## security patches
|
## security patches
|
||||||
|
# CVE-2015-0295
|
||||||
|
# http://lists.qt-project.org/pipermail/announce/2015-February/000059.html
|
||||||
|
Patch337: 0137-Fix-a-division-by-zero-when-processing-malformed-BMP.patch
|
||||||
|
|
||||||
# desktop files
|
# desktop files
|
||||||
Source20: assistant.desktop
|
Source20: assistant.desktop
|
||||||
@ -593,6 +596,7 @@ rm -rf src/3rdparty/clucene
|
|||||||
%patch266 -p1 -b .0066
|
%patch266 -p1 -b .0066
|
||||||
%patch267 -p1 -b .0067
|
%patch267 -p1 -b .0067
|
||||||
%patch272 -p1 -b .0072
|
%patch272 -p1 -b .0072
|
||||||
|
%patch337 -p1 -b .0137
|
||||||
|
|
||||||
# security fixes
|
# security fixes
|
||||||
# regression fixes for the security fixes
|
# regression fixes for the security fixes
|
||||||
@ -1313,6 +1317,9 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Feb 27 2015 Rex Dieter <rdieter@fedoraproject.org> 1:4.8.6-25
|
||||||
|
- DoS vulnerability in the BMP image handler (CVE-2015-0295)
|
||||||
|
|
||||||
* Mon Feb 16 2015 Rex Dieter <rdieter@fedoraproject.org> 1:4.8.6-24
|
* Mon Feb 16 2015 Rex Dieter <rdieter@fedoraproject.org> 1:4.8.6-24
|
||||||
- more gcc5 detection fixes, in particular, ensure same QT_BUILD_KEY as gcc4 for now
|
- more gcc5 detection fixes, in particular, ensure same QT_BUILD_KEY as gcc4 for now
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user