qt5-qtbase/0201-Fixes-crash-in-bmp-and-ico-image-decoding.patch

From 51ec7ebfe5f45d1c0a03d992e97053cac66e25fe Mon Sep 17 00:00:00 2001
From: Eirik Aavitsland <eirik.aavitsland@theqtcompany.com>
Date: Wed, 11 Mar 2015 13:34:01 +0100
Subject: [PATCH 201/238] Fixes crash in bmp and ico image decoding

Fuzzing test revealed that for certain malformed bmp and ico files,
the handler would segfault.

Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
---
 src/gui/image/qbmphandler.cpp                | 13 +++++++------
 src/plugins/imageformats/ico/qicohandler.cpp |  2 +-
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
index df66499..8acc593 100644
--- a/src/gui/image/qbmphandler.cpp
+++ b/src/gui/image/qbmphandler.cpp
@@ -484,12 +484,6 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
                             p = data + (h-y-1)*bpl;
                             break;
                         case 2:                        // delta (jump)
-                            // Protection
-                            if ((uint)x >= (uint)w)
-                                x = w-1;
-                            if ((uint)y >= (uint)h)
-                                y = h-1;
-
                             {
                                 quint8 tmp;
                                 d->getChar((char *)&tmp);
@@ -497,6 +491,13 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
                                 d->getChar((char *)&tmp);
                                 y += tmp;
                             }
+
+                            // Protection
+                            if ((uint)x >= (uint)w)
+                                x = w-1;
+                            if ((uint)y >= (uint)h)
+                                y = h-1;
+
                             p = data + (h-y-1)*bpl + x;
                             break;
                         default:                // absolute mode
diff --git a/src/plugins/imageformats/ico/qicohandler.cpp b/src/plugins/imageformats/ico/qicohandler.cpp
index 00de0c8..ec1654e 100644
--- a/src/plugins/imageformats/ico/qicohandler.cpp
+++ b/src/plugins/imageformats/ico/qicohandler.cpp
@@ -567,7 +567,7 @@ QImage ICOReader::iconAt(int index)
                 QImage::Format format = QImage::Format_ARGB32;
                 if (icoAttrib.nbits == 24)
                     format = QImage::Format_RGB32;
-                else if (icoAttrib.ncolors == 2)
+                else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1)
                     format = QImage::Format_Mono;
                 else if (icoAttrib.ncolors > 0)
                     format = QImage::Format_Indexed8;
-- 
1.9.3
Multiple Vulnerabilities in Qt Image Format Handling (CVE-2015-1860 CVE-2015-1859 CVE-2015-1858) 2015-04-13 17:50:19 +00:00			`From 51ec7ebfe5f45d1c0a03d992e97053cac66e25fe Mon Sep 17 00:00:00 2001`
			`From: Eirik Aavitsland <eirik.aavitsland@theqtcompany.com>`
			`Date: Wed, 11 Mar 2015 13:34:01 +0100`
			`Subject: [PATCH 201/238] Fixes crash in bmp and ico image decoding`

			`Fuzzing test revealed that for certain malformed bmp and ico files,`
			`the handler would segfault.`

			`Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe`
			`Reviewed-by: Lars Knoll <lars.knoll@digia.com>`
			`---`
			`src/gui/image/qbmphandler.cpp \| 13 +++++++------`
			`src/plugins/imageformats/ico/qicohandler.cpp \| 2 +-`
			`2 files changed, 8 insertions(+), 7 deletions(-)`

			`diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp`
			`index df66499..8acc593 100644`
			`--- a/src/gui/image/qbmphandler.cpp`
			`+++ b/src/gui/image/qbmphandler.cpp`
			`@@ -484,12 +484,6 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int`
			`p = data + (h-y-1)*bpl;`
			`break;`
			`case 2: // delta (jump)`
			`- // Protection`
			`- if ((uint)x >= (uint)w)`
			`- x = w-1;`
			`- if ((uint)y >= (uint)h)`
			`- y = h-1;`
			`-`
			`{`
			`quint8 tmp;`
			`d->getChar((char *)&tmp);`
			`@@ -497,6 +491,13 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int`
			`d->getChar((char *)&tmp);`
			`y += tmp;`
			`}`
			`+`
			`+ // Protection`
			`+ if ((uint)x >= (uint)w)`
			`+ x = w-1;`
			`+ if ((uint)y >= (uint)h)`
			`+ y = h-1;`
			`+`
			`p = data + (h-y-1)*bpl + x;`
			`break;`
			`default: // absolute mode`
			`diff --git a/src/plugins/imageformats/ico/qicohandler.cpp b/src/plugins/imageformats/ico/qicohandler.cpp`
			`index 00de0c8..ec1654e 100644`
			`--- a/src/plugins/imageformats/ico/qicohandler.cpp`
			`+++ b/src/plugins/imageformats/ico/qicohandler.cpp`
			`@@ -567,7 +567,7 @@ QImage ICOReader::iconAt(int index)`
			`QImage::Format format = QImage::Format_ARGB32;`
			`if (icoAttrib.nbits == 24)`
			`format = QImage::Format_RGB32;`
			`- else if (icoAttrib.ncolors == 2)`
			`+ else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1)`
			`format = QImage::Format_Mono;`
			`else if (icoAttrib.ncolors > 0)`
			`format = QImage::Format_Indexed8;`
			`--`
			`1.9.3`