Multiple Vulnerabilities in Qt Image Format Handling (CVE-2015-1860 CVE-2015-1859 CVE-2015-1858)
This commit is contained in:
parent
240a4ac577
commit
9a602903fd
|
@ -0,0 +1,30 @@
|
|||
From d3048a29797ee2d80d84bbda26bb3c954584f332 Mon Sep 17 00:00:00 2001
|
||||
From: Eirik Aavitsland <eirik.aavitsland@theqtcompany.com>
|
||||
Date: Wed, 11 Mar 2015 09:00:41 +0100
|
||||
Subject: [PATCH 200/238] Fixes crash in gif image decoder
|
||||
|
||||
Fuzzing test revealed that for certain malformed gif files,
|
||||
qgifhandler would segfault.
|
||||
|
||||
Change-Id: I5bb6f60e1c61849e0d8c735edc3869945e5331c1
|
||||
Reviewed-by: Richard J. Moore <rich@kde.org>
|
||||
---
|
||||
src/gui/image/qgifhandler.cpp | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/src/gui/image/qgifhandler.cpp b/src/gui/image/qgifhandler.cpp
|
||||
index 03e46ab..8d8c4ae 100644
|
||||
--- a/src/gui/image/qgifhandler.cpp
|
||||
+++ b/src/gui/image/qgifhandler.cpp
|
||||
@@ -936,6 +936,8 @@ void QGIFFormat::fillRect(QImage *image, int col, int row, int w, int h, QRgb co
|
||||
|
||||
void QGIFFormat::nextY(unsigned char *bits, int bpl)
|
||||
{
|
||||
+ if (out_of_bounds)
|
||||
+ return;
|
||||
int my;
|
||||
switch (interlace) {
|
||||
case 0: // Non-interlaced
|
||||
--
|
||||
1.9.3
|
||||
|
|
@ -0,0 +1,62 @@
|
|||
From 51ec7ebfe5f45d1c0a03d992e97053cac66e25fe Mon Sep 17 00:00:00 2001
|
||||
From: Eirik Aavitsland <eirik.aavitsland@theqtcompany.com>
|
||||
Date: Wed, 11 Mar 2015 13:34:01 +0100
|
||||
Subject: [PATCH 201/238] Fixes crash in bmp and ico image decoding
|
||||
|
||||
Fuzzing test revealed that for certain malformed bmp and ico files,
|
||||
the handler would segfault.
|
||||
|
||||
Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe
|
||||
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
|
||||
---
|
||||
src/gui/image/qbmphandler.cpp | 13 +++++++------
|
||||
src/plugins/imageformats/ico/qicohandler.cpp | 2 +-
|
||||
2 files changed, 8 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
|
||||
index df66499..8acc593 100644
|
||||
--- a/src/gui/image/qbmphandler.cpp
|
||||
+++ b/src/gui/image/qbmphandler.cpp
|
||||
@@ -484,12 +484,6 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
|
||||
p = data + (h-y-1)*bpl;
|
||||
break;
|
||||
case 2: // delta (jump)
|
||||
- // Protection
|
||||
- if ((uint)x >= (uint)w)
|
||||
- x = w-1;
|
||||
- if ((uint)y >= (uint)h)
|
||||
- y = h-1;
|
||||
-
|
||||
{
|
||||
quint8 tmp;
|
||||
d->getChar((char *)&tmp);
|
||||
@@ -497,6 +491,13 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
|
||||
d->getChar((char *)&tmp);
|
||||
y += tmp;
|
||||
}
|
||||
+
|
||||
+ // Protection
|
||||
+ if ((uint)x >= (uint)w)
|
||||
+ x = w-1;
|
||||
+ if ((uint)y >= (uint)h)
|
||||
+ y = h-1;
|
||||
+
|
||||
p = data + (h-y-1)*bpl + x;
|
||||
break;
|
||||
default: // absolute mode
|
||||
diff --git a/src/plugins/imageformats/ico/qicohandler.cpp b/src/plugins/imageformats/ico/qicohandler.cpp
|
||||
index 00de0c8..ec1654e 100644
|
||||
--- a/src/plugins/imageformats/ico/qicohandler.cpp
|
||||
+++ b/src/plugins/imageformats/ico/qicohandler.cpp
|
||||
@@ -567,7 +567,7 @@ QImage ICOReader::iconAt(int index)
|
||||
QImage::Format format = QImage::Format_ARGB32;
|
||||
if (icoAttrib.nbits == 24)
|
||||
format = QImage::Format_RGB32;
|
||||
- else if (icoAttrib.ncolors == 2)
|
||||
+ else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1)
|
||||
format = QImage::Format_Mono;
|
||||
else if (icoAttrib.ncolors > 0)
|
||||
format = QImage::Format_Indexed8;
|
||||
--
|
||||
1.9.3
|
||||
|
|
@ -37,7 +37,7 @@
|
|||
Summary: Qt5 - QtBase components
|
||||
Name: qt5-qtbase
|
||||
Version: 5.4.1
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
|
||||
# See LGPL_EXCEPTIONS.txt, for exception details
|
||||
License: LGPLv2 with exceptions or GPLv3 with exceptions
|
||||
|
@ -103,6 +103,9 @@ Patch336: 0136-Make-sure-there-s-a-scene-before-using-it.patch
|
|||
# http://lists.qt-project.org/pipermail/announce/2015-February/000059.html
|
||||
# CVE-2015-0295
|
||||
Patch349: 0149-Fix-a-division-by-zero-when-processing-malformed-BMP.patch
|
||||
# CVE-2015-1858, CVE-2015-1859, CVE-2015-1860
|
||||
Patch400: 0200-Fixes-crash-in-gif-image-decoder.patch
|
||||
Patch401: 0201-Fixes-crash-in-bmp-and-ico-image-decoding.patch
|
||||
|
||||
# macros, be mindful to keep sync'd with macros.qt5
|
||||
Source1: macros.qt5
|
||||
|
@ -359,6 +362,8 @@ rm -fv mkspecs/linux-g++*/qmake.conf.multilib-optflags
|
|||
%patch332 -p1 -b .0132
|
||||
%patch336 -p1 -b .0136
|
||||
%patch349 -p1 -b .0149
|
||||
%patch400 -p1 -b .0200
|
||||
%patch401 -p1 -b .0201
|
||||
|
||||
# drop -fexceptions from $RPM_OPT_FLAGS
|
||||
RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed 's|-fexceptions||g'`
|
||||
|
@ -870,6 +875,9 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Mon Apr 13 2015 Rex Dieter <rdieter@fedoraproject.org> 5.4.1-9
|
||||
- Multiple Vulnerabilities in Qt Image Format Handling (CVE-2015-1860 CVE-2015-1859 CVE-2015-1858)
|
||||
|
||||
* Fri Apr 10 2015 Rex Dieter <rdieter@fedoraproject.org> - 5.4.1-8
|
||||
- -dbus=runtime on el6 (#1196359)
|
||||
- %%build: -no-directfb
|
||||
|
|
Loading…
Reference in New Issue