[Midnightbsd-cvs] mports [20815] trunk/graphics/qt4-imageformats: add cve patches
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Thu Nov 12 22:35:03 EST 2015
Revision: 20815
http://svnweb.midnightbsd.org/mports/?rev=20815
Author: laffer1
Date: 2015-11-12 22:35:03 -0500 (Thu, 12 Nov 2015)
Log Message:
-----------
add cve patches
Modified Paths:
--------------
trunk/graphics/qt4-imageformats/Makefile
Added Paths:
-----------
trunk/graphics/qt4-imageformats/files/patch-CVE-2014-0190
trunk/graphics/qt4-imageformats/files/patch-CVE-2015-1858
trunk/graphics/qt4-imageformats/files/patch-CVE-2015-1859
Removed Paths:
-------------
trunk/graphics/qt4-imageformats/files/patch-git_ccd1b2ee
Modified: trunk/graphics/qt4-imageformats/Makefile
===================================================================
--- trunk/graphics/qt4-imageformats/Makefile 2015-11-13 03:32:07 UTC (rev 20814)
+++ trunk/graphics/qt4-imageformats/Makefile 2015-11-13 03:35:03 UTC (rev 20815)
@@ -7,7 +7,8 @@
PKGNAMEPREFIX= qt4-
MAINTAINER= ports at MidnightBSD.org
-COMMENT= Qt imageformat plugins for GIF, JPEG, MNG and SVG
+COMMENT= Qt plugins for several image formats
+
LICENSE= gpl3
LIB_DEPENDS= libmng.so:${PORTSDIR}/graphics/libmng \
Added: trunk/graphics/qt4-imageformats/files/patch-CVE-2014-0190
===================================================================
--- trunk/graphics/qt4-imageformats/files/patch-CVE-2014-0190 (rev 0)
+++ trunk/graphics/qt4-imageformats/files/patch-CVE-2014-0190 2015-11-13 03:35:03 UTC (rev 20815)
@@ -0,0 +1,38 @@
+commit f1b76c126c476c155af8c404b97c42cd1a709333
+Author: Lars Knoll <lars.knoll at digia.com>
+Date: Thu Apr 24 15:33:27 2014 +0200
+
+ Don't crash on broken GIF images
+
+ Broken GIF images could set invalid width and height
+ values inside the image, leading to Qt creating a null
+ QImage for it. In that case we need to abort decoding
+ the image and return an error.
+
+ Initial patch by Rich Moore.
+
+ Backport of Id82a4036f478bd6e49c402d6598f57e7e5bb5e1e from Qt 5
+
+ Task-number: QTBUG-38367
+ Change-Id: I0680740018aaa8356d267b7af3f01fac3697312a
+ Security-advisory: CVE-2014-0190
+ Reviewed-by: Richard J. Moore <rich at kde.org>
+
+diff --git a/src/gui/image/qgifhandler.cpp b/src/gui/image/qgifhandler.cpp
+index 3324f04..5199dd3 100644
+--- src/gui/image/qgifhandler.cpp
++++ src/gui/image/qgifhandler.cpp
+@@ -359,6 +359,13 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length,
+ memset(bits, 0, image->byteCount());
+ }
+
++ // Check if the previous attempt to create the image failed. If it
++ // did then the image is broken and we should give up.
++ if (image->isNull()) {
++ state = Error;
++ return -1;
++ }
++
+ disposePrevious(image);
+ disposed = false;
+
Property changes on: trunk/graphics/qt4-imageformats/files/patch-CVE-2014-0190
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Added: trunk/graphics/qt4-imageformats/files/patch-CVE-2015-1858
===================================================================
--- trunk/graphics/qt4-imageformats/files/patch-CVE-2015-1858 (rev 0)
+++ trunk/graphics/qt4-imageformats/files/patch-CVE-2015-1858 2015-11-13 03:35:03 UTC (rev 20815)
@@ -0,0 +1,24 @@
+commit a1cf194c54be57d6ab55dfd26b9562a60532208e
+Author: Eirik Aavitsland <eirik.aavitsland at theqtcompany.com>
+Date: Wed Mar 11 09:00:41 2015 +0100
+
+ Fixes crash in gif image decoder
+
+ Fuzzing test revealed that for certain malformed gif files,
+ qgifhandler would segfault.
+
+ Change-Id: I5bb6f60e1c61849e0d8c735edc3869945e5331c1
+ (cherry picked from qtbase/ea2c5417fcd374302f5019e67f72af5facbd29f6)
+ Reviewed-by: Richard J. Moore <rich at kde.org>
+
+--- src/gui/image/qgifhandler.cpp
++++ src/gui/image/qgifhandler.cpp
+@@ -944,6 +944,8 @@ void QGIFFormat::fillRect(QImage *image, int col, int row, int w, int h, QRgb co
+
+ void QGIFFormat::nextY(unsigned char *bits, int bpl)
+ {
++ if (out_of_bounds)
++ return;
+ int my;
+ switch (interlace) {
+ case 0: // Non-interlaced
Property changes on: trunk/graphics/qt4-imageformats/files/patch-CVE-2015-1858
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Added: trunk/graphics/qt4-imageformats/files/patch-CVE-2015-1859
===================================================================
--- trunk/graphics/qt4-imageformats/files/patch-CVE-2015-1859 (rev 0)
+++ trunk/graphics/qt4-imageformats/files/patch-CVE-2015-1859 2015-11-13 03:35:03 UTC (rev 20815)
@@ -0,0 +1,53 @@
+commit 3e55cd6dc467303a3c35312e9fcb255c2c048b32
+Author: Eirik Aavitsland <eirik.aavitsland at theqtcompany.com>
+Date: Wed Mar 11 13:34:01 2015 +0100
+
+ Fixes crash in bmp and ico image decoding
+
+ Fuzzing test revealed that for certain malformed bmp and ico files,
+ the handler would segfault.
+
+ Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe
+ (cherry picked from qtbase/2adbbae5432aa9d8cc41c6fcf55c2e310d2d4078)
+ Reviewed-by: Richard J. Moore <rich at kde.org>
+
+--- src/gui/image/qbmphandler.cpp
++++ src/gui/image/qbmphandler.cpp
+@@ -478,12 +478,6 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
+ p = data + (h-y-1)*bpl;
+ break;
+ case 2: // delta (jump)
+- // Protection
+- if ((uint)x >= (uint)w)
+- x = w-1;
+- if ((uint)y >= (uint)h)
+- y = h-1;
+-
+ {
+ quint8 tmp;
+ d->getChar((char *)&tmp);
+@@ -491,6 +485,13 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
+ d->getChar((char *)&tmp);
+ y += tmp;
+ }
++
++ // Protection
++ if ((uint)x >= (uint)w)
++ x = w-1;
++ if ((uint)y >= (uint)h)
++ y = h-1;
++
+ p = data + (h-y-1)*bpl + x;
+ break;
+ default: // absolute mode
+--- src/plugins/imageformats/ico/qicohandler.cpp
++++ src/plugins/imageformats/ico/qicohandler.cpp
+@@ -571,7 +571,7 @@ QImage ICOReader::iconAt(int index)
+ QImage::Format format = QImage::Format_ARGB32;
+ if (icoAttrib.nbits == 24)
+ format = QImage::Format_RGB32;
+- else if (icoAttrib.ncolors == 2)
++ else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1)
+ format = QImage::Format_Mono;
+ else if (icoAttrib.ncolors > 0)
+ format = QImage::Format_Indexed8;
Property changes on: trunk/graphics/qt4-imageformats/files/patch-CVE-2015-1859
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Deleted: trunk/graphics/qt4-imageformats/files/patch-git_ccd1b2ee
===================================================================
--- trunk/graphics/qt4-imageformats/files/patch-git_ccd1b2ee 2015-11-13 03:32:07 UTC (rev 20814)
+++ trunk/graphics/qt4-imageformats/files/patch-git_ccd1b2ee 2015-11-13 03:35:03 UTC (rev 20815)
@@ -1,35 +0,0 @@
-commit ccd1b2ee01c193cd157978c1f9f08f87d0f9c94b
-Author: Raphael Kubo da Costa <rakuco at FreeBSD.org>
-Date: Fri May 10 01:40:23 2013 +0300
-
- Check that 3DNow! instructions are supported before including mm3dnow.h.
-
- Include mm3dnow.h the way we already include the (S)SSE{3,4} and AVX
- instruction headers: by checking that the compiler is set to support those
- instructions besides verifying that QT_HAVE_3DNOW evalues to true (which
- only means the compiler supported them when the build was being configured).
-
- This has not caused a problem in most cases so far because GCC protects its
- mm3dnow.h header with an #ifdef __3dNOW__ (contrary to what it does on, say,
- pmmintrin.h). clang's mm3dnow.h, on the other hand, does not have that check
- and can fail if -march is set to, for example, i386 or i486.
-
- Not backported from qt5 because qtbase because qsimd_p.h does not include
- the 3DNow! headers after commit a1b30b49ef09bef2e97b9a0622bf7ad622678fee.
-
- Change-Id: I15ab5e936c71c55f89c3f25777ab27fbd262e9cd
- Reviewed-by: Thiago Macieira <thiago.macieira at intel.com>
-
-diff --git a/src/corelib/tools/qsimd_p.h b/src/corelib/tools/qsimd_p.h
-index 87e26e1..6a32e8f 100644
---- ./src/corelib/tools/qsimd_p.h
-+++ ./src/corelib/tools/qsimd_p.h
-@@ -199,7 +199,7 @@ QT_BEGIN_HEADER
- #endif
-
- // 3D now intrinsics
--#if defined(QT_HAVE_3DNOW)
-+#if defined(QT_HAVE_3DNOW) && (defined(__3dNOW__) || defined(Q_CC_MSVC))
- #include <mm3dnow.h>
- #endif
-
More information about the Midnightbsd-cvs
mailing list