backport CVE-2018-19870 CVE-2018-19873
This commit is contained in:
sherlock2010
parent
0366733c3a
commit
0185e9c7ce
41
CVE-2018-19870.patch
Normal file
41
CVE-2018-19870.patch
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
Backport of:
|
||||||
|
|
||||||
|
From 2841e2b61e32f26900bde987d469c8b97ea31999 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Eirik Aavitsland <eirik.aavitsland@qt.io>
|
||||||
|
Date: Fri, 3 Aug 2018 13:25:15 +0200
|
||||||
|
Subject: [PATCH] Check for QImage allocation failure in qgifhandler
|
||||||
|
|
||||||
|
Since image files easily can be (or corrupt files claim to be) huge,
|
||||||
|
it is worth checking for out of memory situations.
|
||||||
|
|
||||||
|
Change-Id: I635a3ec6852288079fdec4e14cf7e776fe59e9e0
|
||||||
|
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
|
||||||
|
---
|
||||||
|
src/plugins/imageformats/gif/qgifhandler.cpp | 7 ++++++-
|
||||||
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
Index: qtbase-opensource-src-5.5.1+dfsg/src/gui/image/qgifhandler.cpp
|
||||||
|
===================================================================
|
||||||
|
--- qtbase-opensource-src-5.5.1+dfsg.orig/src/gui/image/qgifhandler.cpp 2019-02-05 13:19:41.135941358 -0500
|
||||||
|
+++ qtbase-opensource-src-5.5.1+dfsg/src/gui/image/qgifhandler.cpp 2019-02-05 13:20:04.364039732 -0500
|
||||||
|
@@ -348,7 +348,8 @@ int QGIFFormat::decode(QImage *image, co
|
||||||
|
(*image) = QImage(swidth, sheight, format);
|
||||||
|
bpl = image->bytesPerLine();
|
||||||
|
bits = image->bits();
|
||||||
|
- memset(bits, 0, image->byteCount());
|
||||||
|
+ if (bits)
|
||||||
|
+ memset(bits, 0, image->byteCount());
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check if the previous attempt to create the image failed. If it
|
||||||
|
@@ -409,6 +410,10 @@ int QGIFFormat::decode(QImage *image, co
|
||||||
|
backingstore = QImage(qMax(backingstore.width(), w),
|
||||||
|
qMax(backingstore.height(), h),
|
||||||
|
QImage::Format_RGB32);
|
||||||
|
+ if (backingstore.isNull()) {
|
||||||
|
+ state = Error;
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
memset(bits, 0, image->byteCount());
|
||||||
|
}
|
||||||
|
const int dest_bpl = backingstore.bytesPerLine();
|
||||||
27
CVE-2018-19873.patch
Normal file
27
CVE-2018-19873.patch
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
From 621ab8ab59901cc3f9bd98be709929c9eac997a8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Eirik Aavitsland <eirik.aavitsland@qt.io>
|
||||||
|
Date: Tue, 4 Sep 2018 11:08:06 +0200
|
||||||
|
Subject: [PATCH] bmp image handler: check for out of range image size
|
||||||
|
|
||||||
|
Make the decoder fail early to avoid spending time and memory on
|
||||||
|
attempting to decode a corrupt image file.
|
||||||
|
|
||||||
|
Change-Id: I874e04f3b43122d73f8e58c7a5bcc4a741b68264
|
||||||
|
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
|
||||||
|
---
|
||||||
|
src/gui/image/qbmphandler.cpp | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
Index: qtbase-opensource-src-5.5.1+dfsg/src/gui/image/qbmphandler.cpp
|
||||||
|
===================================================================
|
||||||
|
--- qtbase-opensource-src-5.5.1+dfsg.orig/src/gui/image/qbmphandler.cpp 2019-02-05 13:20:23.396119556 -0500
|
||||||
|
+++ qtbase-opensource-src-5.5.1+dfsg/src/gui/image/qbmphandler.cpp 2019-02-05 13:20:23.392119539 -0500
|
||||||
|
@@ -173,6 +173,8 @@ static bool read_dib_infoheader(QDataStr
|
||||||
|
if (!(comp == BMP_RGB || (nbits == 4 && comp == BMP_RLE4) ||
|
||||||
|
(nbits == 8 && comp == BMP_RLE8) || ((nbits == 16 || nbits == 32) && comp == BMP_BITFIELDS)))
|
||||||
|
return false; // weird compression type
|
||||||
|
+ if (bi.biWidth < 0 || quint64(bi.biWidth) * qAbs(bi.biHeight) > 16384 * 16384)
|
||||||
|
+ return false;
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
10
qt.spec
10
qt.spec
@ -13,7 +13,7 @@
|
|||||||
Name: qt
|
Name: qt
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Version: 4.8.7
|
Version: 4.8.7
|
||||||
Release: 44
|
Release: 45
|
||||||
Summary: A software toolkit for developing applications
|
Summary: A software toolkit for developing applications
|
||||||
License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
|
License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
|
||||||
URL: http://qt-project.org/
|
URL: http://qt-project.org/
|
||||||
@ -75,6 +75,8 @@ Patch42: qt-everywhere-opensource-src-4.8.6-systemtrayicon.patch
|
|||||||
Patch6000: CVE-2018-19869.patch
|
Patch6000: CVE-2018-19869.patch
|
||||||
Patch6001: CVE-2018-19872.patch
|
Patch6001: CVE-2018-19872.patch
|
||||||
Patch6002: CVE-2018-19871.patch
|
Patch6002: CVE-2018-19871.patch
|
||||||
|
Patch6003: CVE-2018-19870.patch
|
||||||
|
Patch6004: CVE-2018-19873.patch
|
||||||
|
|
||||||
BuildRequires: cups-devel desktop-file-utils gcc-c++ libjpeg-devel findutils libmng-devel libtiff-devel pkgconfig pkgconfig(alsa)
|
BuildRequires: cups-devel desktop-file-utils gcc-c++ libjpeg-devel findutils libmng-devel libtiff-devel pkgconfig pkgconfig(alsa)
|
||||||
BuildRequires: pkgconfig(dbus-1) pkgconfig(fontconfig) pkgconfig(glib-2.0) pkgconfig(icu-i18n) openssl-devel pkgconfig(libpng)
|
BuildRequires: pkgconfig(dbus-1) pkgconfig(fontconfig) pkgconfig(glib-2.0) pkgconfig(icu-i18n) openssl-devel pkgconfig(libpng)
|
||||||
@ -441,6 +443,12 @@ fi
|
|||||||
%{_qt4_prefix}/examples/
|
%{_qt4_prefix}/examples/
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Dec 25 2019 zhouyihang<zhouyihang1@huawei.com> - 1:4.8.7-45
|
||||||
|
- Type:cves
|
||||||
|
- ID:CVE-2018-19870 CVE-2018-19873
|
||||||
|
- SUG:restart
|
||||||
|
- DESC: fix CVE-2018-19870 CVE-2018-19873
|
||||||
|
|
||||||
* Thu Dec 12 2019 shenyangyang<shenyangyang4@huawei.com> - 1:4.8.7-44
|
* Thu Dec 12 2019 shenyangyang<shenyangyang4@huawei.com> - 1:4.8.7-44
|
||||||
- Type:enhancement
|
- Type:enhancement
|
||||||
- ID:NA
|
- ID:NA
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user