diff options
| author | rakuco <rakuco@FreeBSD.org> | 2015-04-14 16:34:41 +0800 |
|---|---|---|
| committer | rakuco <rakuco@FreeBSD.org> | 2015-04-14 16:34:41 +0800 |
| commit | 1ff73be82a28ca7a7fc1d990902ac1cdaf397c5c (patch) | |
| tree | 2bea38df371da00c88cc7d1e600deac8d812e6b7 | |
| parent | d9fa0f40b7f16d11fec61ab6cea7f123cbe33e80 (diff) | |
| download | freebsd-ports-graphics-1ff73be82a28ca7a7fc1d990902ac1cdaf397c5c.tar.gz freebsd-ports-graphics-1ff73be82a28ca7a7fc1d990902ac1cdaf397c5c.tar.zst freebsd-ports-graphics-1ff73be82a28ca7a7fc1d990902ac1cdaf397c5c.zip | |
Add patches for CVE-2015-1858, CVE-2015-1859 and CVE-2015-1860.
Multiple vulnerabilities in Qt image format handling.
MFH: 2015Q2
Security: 5713bfda-e27d-11e4-b2ce-5453ed2e2b49
| -rw-r--r-- | graphics/qt4-imageformats/Makefile | 2 | ||||
| -rw-r--r-- | graphics/qt4-imageformats/files/patch-CVE-2015-1858 | 24 | ||||
| -rw-r--r-- | graphics/qt4-imageformats/files/patch-CVE-2015-1859 | 53 | ||||
| -rw-r--r-- | x11-toolkits/qt4-gui/Makefile | 2 | ||||
| -rw-r--r-- | x11-toolkits/qt4-gui/files/patch-CVE-2015-1859 | 53 | ||||
| -rw-r--r-- | x11-toolkits/qt5-gui/Makefile | 1 | ||||
| -rw-r--r-- | x11-toolkits/qt5-gui/files/patch-CVE-2015-1858 | 23 | ||||
| -rw-r--r-- | x11-toolkits/qt5-gui/files/patch-CVE-2015-1859 | 52 |
8 files changed, 208 insertions, 2 deletions
diff --git a/graphics/qt4-imageformats/Makefile b/graphics/qt4-imageformats/Makefile index e91c513225a..5220fd13c38 100644 --- a/graphics/qt4-imageformats/Makefile +++ b/graphics/qt4-imageformats/Makefile @@ -3,7 +3,7 @@ PORTNAME= imageformats DISTVERSION= ${QT4_VERSION} -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= graphics PKGNAMEPREFIX= qt4- diff --git a/graphics/qt4-imageformats/files/patch-CVE-2015-1858 b/graphics/qt4-imageformats/files/patch-CVE-2015-1858 new file mode 100644 index 00000000000..91aed0d19d7 --- /dev/null +++ b/graphics/qt4-imageformats/files/patch-CVE-2015-1858 @@ -0,0 +1,24 @@ +commit a1cf194c54be57d6ab55dfd26b9562a60532208e +Author: Eirik Aavitsland <eirik.aavitsland@theqtcompany.com> +Date: Wed Mar 11 09:00:41 2015 +0100 + + Fixes crash in gif image decoder + + Fuzzing test revealed that for certain malformed gif files, + qgifhandler would segfault. + + Change-Id: I5bb6f60e1c61849e0d8c735edc3869945e5331c1 + (cherry picked from qtbase/ea2c5417fcd374302f5019e67f72af5facbd29f6) + Reviewed-by: Richard J. Moore <rich@kde.org> + +--- src/gui/image/qgifhandler.cpp ++++ src/gui/image/qgifhandler.cpp +@@ -944,6 +944,8 @@ void QGIFFormat::fillRect(QImage *image, int col, int row, int w, int h, QRgb co + + void QGIFFormat::nextY(unsigned char *bits, int bpl) + { ++ if (out_of_bounds) ++ return; + int my; + switch (interlace) { + case 0: // Non-interlaced diff --git a/graphics/qt4-imageformats/files/patch-CVE-2015-1859 b/graphics/qt4-imageformats/files/patch-CVE-2015-1859 new file mode 100644 index 00000000000..d03c34d59b0 --- /dev/null +++ b/graphics/qt4-imageformats/files/patch-CVE-2015-1859 @@ -0,0 +1,53 @@ +commit 3e55cd6dc467303a3c35312e9fcb255c2c048b32 +Author: Eirik Aavitsland <eirik.aavitsland@theqtcompany.com> +Date: Wed Mar 11 13:34:01 2015 +0100 + + Fixes crash in bmp and ico image decoding + + Fuzzing test revealed that for certain malformed bmp and ico files, + the handler would segfault. + + Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe + (cherry picked from qtbase/2adbbae5432aa9d8cc41c6fcf55c2e310d2d4078) + Reviewed-by: Richard J. Moore <rich@kde.org> + +--- src/gui/image/qbmphandler.cpp ++++ src/gui/image/qbmphandler.cpp +@@ -478,12 +478,6 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int + p = data + (h-y-1)*bpl; + break; + case 2: // delta (jump) +- // Protection +- if ((uint)x >= (uint)w) +- x = w-1; +- if ((uint)y >= (uint)h) +- y = h-1; +- + { + quint8 tmp; + d->getChar((char *)&tmp); +@@ -491,6 +485,13 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int + d->getChar((char *)&tmp); + y += tmp; + } ++ ++ // Protection ++ if ((uint)x >= (uint)w) ++ x = w-1; ++ if ((uint)y >= (uint)h) ++ y = h-1; ++ + p = data + (h-y-1)*bpl + x; + break; + default: // absolute mode +--- src/plugins/imageformats/ico/qicohandler.cpp ++++ src/plugins/imageformats/ico/qicohandler.cpp +@@ -571,7 +571,7 @@ QImage ICOReader::iconAt(int index) + QImage::Format format = QImage::Format_ARGB32; + if (icoAttrib.nbits == 24) + format = QImage::Format_RGB32; +- else if (icoAttrib.ncolors == 2) ++ else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1) + format = QImage::Format_Mono; + else if (icoAttrib.ncolors > 0) + format = QImage::Format_Indexed8; diff --git a/x11-toolkits/qt4-gui/Makefile b/x11-toolkits/qt4-gui/Makefile index 7d69f97889c..6d328c0c141 100644 --- a/x11-toolkits/qt4-gui/Makefile +++ b/x11-toolkits/qt4-gui/Makefile @@ -3,7 +3,7 @@ PORTNAME= gui DISTVERSION= ${QT4_VERSION} -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= x11-toolkits PKGNAMEPREFIX= qt4- diff --git a/x11-toolkits/qt4-gui/files/patch-CVE-2015-1859 b/x11-toolkits/qt4-gui/files/patch-CVE-2015-1859 new file mode 100644 index 00000000000..d03c34d59b0 --- /dev/null +++ b/x11-toolkits/qt4-gui/files/patch-CVE-2015-1859 @@ -0,0 +1,53 @@ +commit 3e55cd6dc467303a3c35312e9fcb255c2c048b32 +Author: Eirik Aavitsland <eirik.aavitsland@theqtcompany.com> +Date: Wed Mar 11 13:34:01 2015 +0100 + + Fixes crash in bmp and ico image decoding + + Fuzzing test revealed that for certain malformed bmp and ico files, + the handler would segfault. + + Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe + (cherry picked from qtbase/2adbbae5432aa9d8cc41c6fcf55c2e310d2d4078) + Reviewed-by: Richard J. Moore <rich@kde.org> + +--- src/gui/image/qbmphandler.cpp ++++ src/gui/image/qbmphandler.cpp +@@ -478,12 +478,6 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int + p = data + (h-y-1)*bpl; + break; + case 2: // delta (jump) +- // Protection +- if ((uint)x >= (uint)w) +- x = w-1; +- if ((uint)y >= (uint)h) +- y = h-1; +- + { + quint8 tmp; + d->getChar((char *)&tmp); +@@ -491,6 +485,13 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int + d->getChar((char *)&tmp); + y += tmp; + } ++ ++ // Protection ++ if ((uint)x >= (uint)w) ++ x = w-1; ++ if ((uint)y >= (uint)h) ++ y = h-1; ++ + p = data + (h-y-1)*bpl + x; + break; + default: // absolute mode +--- src/plugins/imageformats/ico/qicohandler.cpp ++++ src/plugins/imageformats/ico/qicohandler.cpp +@@ -571,7 +571,7 @@ QImage ICOReader::iconAt(int index) + QImage::Format format = QImage::Format_ARGB32; + if (icoAttrib.nbits == 24) + format = QImage::Format_RGB32; +- else if (icoAttrib.ncolors == 2) ++ else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1) + format = QImage::Format_Mono; + else if (icoAttrib.ncolors > 0) + format = QImage::Format_Indexed8; diff --git a/x11-toolkits/qt5-gui/Makefile b/x11-toolkits/qt5-gui/Makefile index 5ac5d8ddaf2..280df4e5634 100644 --- a/x11-toolkits/qt5-gui/Makefile +++ b/x11-toolkits/qt5-gui/Makefile @@ -2,6 +2,7 @@ PORTNAME= gui DISTVERSION= ${QT5_VERSION} +PORTREVISION= 1 CATEGORIES= x11-toolkits graphics PKGNAMEPREFIX= qt5- diff --git a/x11-toolkits/qt5-gui/files/patch-CVE-2015-1858 b/x11-toolkits/qt5-gui/files/patch-CVE-2015-1858 new file mode 100644 index 00000000000..066c8bba087 --- /dev/null +++ b/x11-toolkits/qt5-gui/files/patch-CVE-2015-1858 @@ -0,0 +1,23 @@ +commit d3048a29797ee2d80d84bbda26bb3c954584f332 +Author: Eirik Aavitsland <eirik.aavitsland@theqtcompany.com> +Date: Wed Mar 11 09:00:41 2015 +0100 + + Fixes crash in gif image decoder + + Fuzzing test revealed that for certain malformed gif files, + qgifhandler would segfault. + + Change-Id: I5bb6f60e1c61849e0d8c735edc3869945e5331c1 + Reviewed-by: Richard J. Moore <rich@kde.org> + +--- src/gui/image/qgifhandler.cpp ++++ src/gui/image/qgifhandler.cpp +@@ -936,6 +936,8 @@ void QGIFFormat::fillRect(QImage *image, int col, int row, int w, int h, QRgb co + + void QGIFFormat::nextY(unsigned char *bits, int bpl) + { ++ if (out_of_bounds) ++ return; + int my; + switch (interlace) { + case 0: // Non-interlaced diff --git a/x11-toolkits/qt5-gui/files/patch-CVE-2015-1859 b/x11-toolkits/qt5-gui/files/patch-CVE-2015-1859 new file mode 100644 index 00000000000..78066cba7a8 --- /dev/null +++ b/x11-toolkits/qt5-gui/files/patch-CVE-2015-1859 @@ -0,0 +1,52 @@ +commit 51ec7ebfe5f45d1c0a03d992e97053cac66e25fe +Author: Eirik Aavitsland <eirik.aavitsland@theqtcompany.com> +Date: Wed Mar 11 13:34:01 2015 +0100 + + Fixes crash in bmp and ico image decoding + + Fuzzing test revealed that for certain malformed bmp and ico files, + the handler would segfault. + + Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe + Reviewed-by: Lars Knoll <lars.knoll@digia.com> + +--- src/gui/image/qbmphandler.cpp ++++ src/gui/image/qbmphandler.cpp +@@ -484,12 +484,6 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int + p = data + (h-y-1)*bpl; + break; + case 2: // delta (jump) +- // Protection +- if ((uint)x >= (uint)w) +- x = w-1; +- if ((uint)y >= (uint)h) +- y = h-1; +- + { + quint8 tmp; + d->getChar((char *)&tmp); +@@ -497,6 +491,13 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int + d->getChar((char *)&tmp); + y += tmp; + } ++ ++ // Protection ++ if ((uint)x >= (uint)w) ++ x = w-1; ++ if ((uint)y >= (uint)h) ++ y = h-1; ++ + p = data + (h-y-1)*bpl + x; + break; + default: // absolute mode +--- src/plugins/imageformats/ico/qicohandler.cpp ++++ src/plugins/imageformats/ico/qicohandler.cpp +@@ -567,7 +567,7 @@ QImage ICOReader::iconAt(int index) + QImage::Format format = QImage::Format_ARGB32; + if (icoAttrib.nbits == 24) + format = QImage::Format_RGB32; +- else if (icoAttrib.ncolors == 2) ++ else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1) + format = QImage::Format_Mono; + else if (icoAttrib.ncolors > 0) + format = QImage::Format_Indexed8; |