diff options
| -rw-r--r-- | x11-toolkits/qt33/Makefile | 2 | ||||
| -rw-r--r-- | x11-toolkits/qt33/files/patch-CVE-2006-4811 | 140 | ||||
| -rw-r--r-- | x11/kdelibs3/Makefile | 2 | ||||
| -rw-r--r-- | x11/kdelibs3/files/patch-CVE-2006-4811 | 14 | ||||
| -rw-r--r-- | x11/kdelibs4/Makefile | 2 | ||||
| -rw-r--r-- | x11/kdelibs4/files/patch-CVE-2006-4811 | 14 |
6 files changed, 171 insertions, 3 deletions
diff --git a/x11-toolkits/qt33/Makefile b/x11-toolkits/qt33/Makefile index 580171ab6db5..6ada997112de 100644 --- a/x11-toolkits/qt33/Makefile +++ b/x11-toolkits/qt33/Makefile @@ -8,7 +8,7 @@ PORTNAME= qt PORTVERSION= 3.3.6 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES?= x11-toolkits ipv6 MASTER_SITES= ${MASTER_SITE_QT} DISTNAME= qt-x11-free-${PORTVERSION} diff --git a/x11-toolkits/qt33/files/patch-CVE-2006-4811 b/x11-toolkits/qt33/files/patch-CVE-2006-4811 new file mode 100644 index 000000000000..78b4beff638f --- /dev/null +++ b/x11-toolkits/qt33/files/patch-CVE-2006-4811 @@ -0,0 +1,140 @@ +--- src/kernel/qfontengine_x11.cpp Thu Oct 19 14:41:41 CEST 2006 ++++ src/kernel/qfontengine_x11.cpp Thu Oct 19 14:41:41 CEST 2006 + +@@ -171,7 +171,8 @@ + + QRect br = xmat.mapRect(QRect(x, y - si->ascent, w, h)); + QRect br2 = br & pdevRect; +- if (br2.width() <= 0 || br2.height() <= 0) ++ if (br2.width() <= 0 || br2.height() <= 0 ++ || br2.width() >= 32768 || br2.height() >= 32768) + return; + QWMatrix mat = QPixmap::trueMatrix( xmat, w, h ); + QBitmap wx_bm = ::transform(dpy, bm, br2.x() - br.x(), br2.y() - br.y(), br2.width(), br2.height(), mat); + +--- src/kernel/qimage.cpp Thu Oct 19 14:41:41 CEST 2006 ++++ src/kernel/qimage.cpp Thu Oct 19 14:41:41 CEST 2006 + +@@ -475,7 +475,12 @@ + Endian bitOrder ) + { + init(); +- if ( w <= 0 || h <= 0 || depth <= 0 || numColors < 0 ) ++ int bpl = ((w*depth+31)/32)*4; // bytes per scanline ++ if ( w <= 0 || h <= 0 || depth <= 0 || numColors < 0 ++ || INT_MAX / sizeof(uchar *) < uint(h) ++ || INT_MAX / uint(depth) < uint(w) ++ || bpl <= 0 ++ || INT_MAX / uint(bpl) < uint(h) ) + return; // invalid parameter(s) + data->w = w; + data->h = h; +@@ -483,7 +488,6 @@ + data->ncols = depth != 32 ? numColors : 0; + if ( !yourdata ) + return; // Image header info can be saved without needing to allocate memory. +- int bpl = ((w*depth+31)/32)*4; // bytes per scanline + data->nbytes = bpl*h; + if ( colortable || !data->ncols ) { + data->ctbl = colortable; +@@ -525,7 +529,10 @@ + Endian bitOrder ) + { + init(); +- if ( !yourdata || w <= 0 || h <= 0 || depth <= 0 || numColors < 0 ) ++ if ( !yourdata || w <= 0 || h <= 0 || depth <= 0 || numColors < 0 ++ || INT_MAX / sizeof(uchar *) < uint(h) ++ || INT_MAX / uint(bpl) < uint(h) ++ ) + return; // invalid parameter(s) + data->w = w; + data->h = h; +@@ -1264,7 +1271,7 @@ + if ( data->ncols != numColors ) // could not alloc color table + return FALSE; + +- if ( INT_MAX / depth < width) { // sanity check for potential overflow ++ if ( INT_MAX / uint(depth) < uint(width) ) { // sanity check for potential overflow + setNumColors( 0 ); + return FALSE; + } +@@ -1277,7 +1284,9 @@ + // #### WWA: shouldn't this be (width*depth+7)/8: + const int pad = bpl - (width*depth)/8; // pad with zeros + #endif +- if (INT_MAX / bpl < height) { // sanity check for potential overflow ++ if ( INT_MAX / uint(bpl) < uint(height) ++ || bpl < 0 ++ || INT_MAX / sizeof(uchar *) < uint(height) ) { // sanity check for potential overflow + setNumColors( 0 ); + return FALSE; + } + +--- src/kernel/qpixmap_x11.cpp Thu Oct 19 14:41:41 CEST 2006 ++++ src/kernel/qpixmap_x11.cpp Thu Oct 19 14:41:41 CEST 2006 + +@@ -953,6 +953,9 @@ + bool force_mono = (dd == 1 || isQBitmap() || + (conversion_flags & ColorMode_Mask)==MonoOnly ); + ++ if ( w >= 32768 || h >= 32768 ) ++ return FALSE; ++ + // get rid of the mask + delete data->mask; + data->mask = 0; +@@ -1678,11 +1681,11 @@ + + QPixmap QPixmap::xForm( const QWMatrix &matrix ) const + { +- int w = 0; +- int h = 0; // size of target pixmap +- int ws, hs; // size of source pixmap ++ uint w = 0; ++ uint h = 0; // size of target pixmap ++ uint ws, hs; // size of source pixmap + uchar *dptr; // data in target pixmap +- int dbpl, dbytes; // bytes per line/bytes total ++ uint dbpl, dbytes; // bytes per line/bytes total + uchar *sptr; // data in original pixmap + int sbpl; // bytes per line in original + int bpp; // bits per pixel +@@ -1697,19 +1700,24 @@ + + QWMatrix mat( matrix.m11(), matrix.m12(), matrix.m21(), matrix.m22(), 0., 0. ); + ++ double scaledWidth; ++ double scaledHeight; ++ + if ( matrix.m12() == 0.0F && matrix.m21() == 0.0F ) { + if ( matrix.m11() == 1.0F && matrix.m22() == 1.0F ) + return *this; // identity matrix +- h = qRound( matrix.m22()*hs ); +- w = qRound( matrix.m11()*ws ); +- h = QABS( h ); +- w = QABS( w ); ++ scaledHeight = matrix.m22()*hs; ++ scaledWidth = matrix.m11()*ws; ++ h = QABS( qRound( scaledHeight ) ); ++ w = QABS( qRound( scaledWidth ) ); + } else { // rotation or shearing + QPointArray a( QRect(0,0,ws+1,hs+1) ); + a = mat.map( a ); + QRect r = a.boundingRect().normalize(); + w = r.width()-1; + h = r.height()-1; ++ scaledWidth = w; ++ scaledHeight = h; + } + + mat = trueMatrix( mat, ws, hs ); // true matrix +@@ -1718,7 +1726,8 @@ + bool invertible; + mat = mat.invert( &invertible ); // invert matrix + +- if ( h == 0 || w == 0 || !invertible ) { // error, return null pixmap ++ if ( h == 0 || w == 0 || !invertible ++ || QABS(scaledWidth) >= 32768 || QABS(scaledHeight) >= 32768 ) { // error, return null pixmap + QPixmap pm; + pm.data->bitmap = data->bitmap; + return pm; diff --git a/x11/kdelibs3/Makefile b/x11/kdelibs3/Makefile index 00ae1a11b738..ecafb51987c7 100644 --- a/x11/kdelibs3/Makefile +++ b/x11/kdelibs3/Makefile @@ -8,7 +8,7 @@ PORTNAME= kdelibs PORTVERSION= ${KDE_VERSION} -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= x11 kde MASTER_SITES= ${MASTER_SITE_KDE} MASTER_SITE_SUBDIR= stable/${PORTVERSION:S/.0//}/src diff --git a/x11/kdelibs3/files/patch-CVE-2006-4811 b/x11/kdelibs3/files/patch-CVE-2006-4811 new file mode 100644 index 000000000000..8a9c8dfebb57 --- /dev/null +++ b/x11/kdelibs3/files/patch-CVE-2006-4811 @@ -0,0 +1,14 @@ +Index: khtml/rendering/render_image.cpp +=================================================================== +--- khtml/rendering/render_image.cpp (revision 594232) ++++ khtml/rendering/render_image.cpp (working copy) +@@ -294,7 +294,8 @@ void RenderImage::paint(PaintInfo& paint + if ( (cWidth != intrinsicWidth() || cHeight != intrinsicHeight()) && + pix.width() > 0 && pix.height() > 0 && i->valid_rect().isValid()) + { +- if (resizeCache.isNull() && cWidth && cHeight && intrinsicWidth() && intrinsicHeight()) ++ if (resizeCache.isNull() && cWidth > 0 && cHeight > 0 && intrinsicWidth() && intrinsicHeight() ++ && cWidth < 4096 && cHeight < 4096) + { + QRect scaledrect(i->valid_rect()); + // kdDebug(6040) << "time elapsed: " << dt->elapsed() << endl; diff --git a/x11/kdelibs4/Makefile b/x11/kdelibs4/Makefile index 00ae1a11b738..ecafb51987c7 100644 --- a/x11/kdelibs4/Makefile +++ b/x11/kdelibs4/Makefile @@ -8,7 +8,7 @@ PORTNAME= kdelibs PORTVERSION= ${KDE_VERSION} -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= x11 kde MASTER_SITES= ${MASTER_SITE_KDE} MASTER_SITE_SUBDIR= stable/${PORTVERSION:S/.0//}/src diff --git a/x11/kdelibs4/files/patch-CVE-2006-4811 b/x11/kdelibs4/files/patch-CVE-2006-4811 new file mode 100644 index 000000000000..8a9c8dfebb57 --- /dev/null +++ b/x11/kdelibs4/files/patch-CVE-2006-4811 @@ -0,0 +1,14 @@ +Index: khtml/rendering/render_image.cpp +=================================================================== +--- khtml/rendering/render_image.cpp (revision 594232) ++++ khtml/rendering/render_image.cpp (working copy) +@@ -294,7 +294,8 @@ void RenderImage::paint(PaintInfo& paint + if ( (cWidth != intrinsicWidth() || cHeight != intrinsicHeight()) && + pix.width() > 0 && pix.height() > 0 && i->valid_rect().isValid()) + { +- if (resizeCache.isNull() && cWidth && cHeight && intrinsicWidth() && intrinsicHeight()) ++ if (resizeCache.isNull() && cWidth > 0 && cHeight > 0 && intrinsicWidth() && intrinsicHeight() ++ && cWidth < 4096 && cHeight < 4096) + { + QRect scaledrect(i->valid_rect()); + // kdDebug(6040) << "time elapsed: " << dt->elapsed() << endl; |