pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/x11/qt5-qtbase SECURITY: Fix a division by zero when p...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/7adaad0750fc
branches:  trunk
changeset: 649026:7adaad0750fc
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Sat Mar 28 17:04:50 2015 +0000

description:
SECURITY: Fix a division by zero when processing malformed BMP files.

This fixes a division by 0 when processing a maliciously crafted BMP
file. No impact beyond DoS.

PKGREVISION++.

diffstat:

 x11/qt5-qtbase/Makefile                                    |   3 +-
 x11/qt5-qtbase/distinfo                                    |   3 +-
 x11/qt5-qtbase/patches/patch-src_gui_image_qbmphandler.cpp |  30 ++++++++++++++
 3 files changed, 34 insertions(+), 2 deletions(-)

diffs (64 lines):

diff -r 8690ee593688 -r 7adaad0750fc x11/qt5-qtbase/Makefile
--- a/x11/qt5-qtbase/Makefile   Sat Mar 28 15:23:14 2015 +0000
+++ b/x11/qt5-qtbase/Makefile   Sat Mar 28 17:04:50 2015 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.17 2015/02/19 14:26:21 joerg Exp $
+# $NetBSD: Makefile,v 1.18 2015/03/28 17:04:50 bsiegert Exp $
 
 DISTNAME=      qtbase-opensource-src-${QTVERSION}
 PKGNAME=       qt5-qtbase-${QTVERSION}
+PKGREVISION=   1
 COMMENT=       C++ X GUI toolkit
 
 .include "../../x11/qt5-qtbase/Makefile.common"
diff -r 8690ee593688 -r 7adaad0750fc x11/qt5-qtbase/distinfo
--- a/x11/qt5-qtbase/distinfo   Sat Mar 28 15:23:14 2015 +0000
+++ b/x11/qt5-qtbase/distinfo   Sat Mar 28 17:04:50 2015 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.16 2015/02/14 22:12:34 nros Exp $
+$NetBSD: distinfo,v 1.17 2015/03/28 17:04:50 bsiegert Exp $
 
 SHA1 (qtbase-opensource-src-5.4.0.tar.xz) = 2e3d32f32e36a92782ca66c260940824746900bd
 RMD160 (qtbase-opensource-src-5.4.0.tar.xz) = 0df3e024b331c705e895fb5bb76cacd71c6e4909
@@ -19,6 +19,7 @@
 SHA1 (patch-src_corelib_io_io.pri) = c4bb37370849bfbc994809825ff94090d71a7116
 SHA1 (patch-src_corelib_io_qfilesystemwatcher.cpp) = 7732cae95975af17e0618667b979c3b84d51adae
 SHA1 (patch-src_corelib_io_qstorageinfo_unix.cpp) = 271f12fc32ffea7c72e62e8add20abf6939b275a
+SHA1 (patch-src_gui_image_qbmphandler.cpp) = 1e540711365f056657100ec84b22789e60443c98
 SHA1 (patch-src_network_kernel_qhostinfo__unix.cpp) = 0335273353daa7c980ccb4febb6eed11b452e50d
 SHA1 (patch-src_platformsupport_platformsupport.pro) = 2aa60936578458cf241ca893771897f7d34fe081
 SHA1 (patch-src_plugins_platforminputcontexts_compose_compose.pro) = 86f828bd545fe53c626fde0a645213077b88ef64
diff -r 8690ee593688 -r 7adaad0750fc x11/qt5-qtbase/patches/patch-src_gui_image_qbmphandler.cpp
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/x11/qt5-qtbase/patches/patch-src_gui_image_qbmphandler.cpp        Sat Mar 28 17:04:50 2015 +0000
@@ -0,0 +1,30 @@
+$NetBSD: patch-src_gui_image_qbmphandler.cpp,v 1.1 2015/03/28 17:04:50 bsiegert Exp $
+https://codereview.qt-project.org/#/c/106929/4
+
+Fix a division by zero when processing malformed BMP files.
+
+This fixes a division by 0 when processing a maliciously crafted BMP
+file. No impact beyond DoS.
+--- src/gui/image/qbmphandler.cpp.orig 2015-03-24 21:58:44.000000000 +0000
++++ src/gui/image/qbmphandler.cpp
+@@ -314,12 +314,20 @@ static bool read_dib_body(QDataStream &s
+         }
+     } else if (comp == BMP_BITFIELDS && (nbits == 16 || nbits == 32)) {
+         red_shift = calc_shift(red_mask);
++      if (((red_mask >> red_shift) + 1) == 0)
++            return false;
+         red_scale = 256 / ((red_mask >> red_shift) + 1);
+         green_shift = calc_shift(green_mask);
++      if (((green_mask >> green_shift) + 1) == 0)
++            return false;
+         green_scale = 256 / ((green_mask >> green_shift) + 1);
+         blue_shift = calc_shift(blue_mask);
++      if (((blue_mask >> blue_shift) + 1) == 0)
++            return false;
+         blue_scale = 256 / ((blue_mask >> blue_shift) + 1);
+         alpha_shift = calc_shift(alpha_mask);
++      if (((alpha_mask >> alpha_shift) + 1) == 0)
++            return false;
+         alpha_scale = 256 / ((alpha_mask >> alpha_shift) + 1);
+     } else if (comp == BMP_RGB && (nbits == 24 || nbits == 32)) {
+         blue_mask = 0x000000ff;



Home | Main Index | Thread Index | Old Index