backport CVE-2018-19870 CVE-2018-19873

2019-12-25 17:45:52 +08:00 · 2019-12-25 17:45:52 +08:00 · 0185e9c7ce
commit 0185e9c7ce
parent 0366733c3a
3 changed files with 77 additions and 1 deletions
--- a/CVE-2018-19870.patch
+++ b/CVE-2018-19870.patch
@ -0,0 +1,41 @@
+Backport of:
+
+From 2841e2b61e32f26900bde987d469c8b97ea31999 Mon Sep 17 00:00:00 2001
+From: Eirik Aavitsland <eirik.aavitsland@qt.io>
+Date: Fri, 3 Aug 2018 13:25:15 +0200
+Subject: [PATCH] Check for QImage allocation failure in qgifhandler
+
+Since image files easily can be (or corrupt files claim to be) huge,
+it is worth checking for out of memory situations.
+
+Change-Id: I635a3ec6852288079fdec4e14cf7e776fe59e9e0
+Reviewed-by: Lars Knoll <lars.knoll@qt.io>
+---
+ src/plugins/imageformats/gif/qgifhandler.cpp | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+Index: qtbase-opensource-src-5.5.1+dfsg/src/gui/image/qgifhandler.cpp
+===================================================================
+--- qtbase-opensource-src-5.5.1+dfsg.orig/src/gui/image/qgifhandler.cpp	2019-02-05 13:19:41.135941358 -0500
+++ qtbase-opensource-src-5.5.1+dfsg/src/gui/image/qgifhandler.cpp	2019-02-05 13:20:04.364039732 -0500
+@@ -348,7 +348,8 @@ int QGIFFormat::decode(QImage *image, co
+                     (*image) = QImage(swidth, sheight, format);
+                     bpl = image->bytesPerLine();
+                     bits = image->bits();
+-                    memset(bits, 0, image->byteCount());
+                    if (bits)
+                        memset(bits, 0, image->byteCount());
+                 }
+ 
+                 // Check if the previous attempt to create the image failed. If it
+@@ -409,6 +410,10 @@ int QGIFFormat::decode(QImage *image, co
+                         backingstore = QImage(qMax(backingstore.width(), w),
+                                               qMax(backingstore.height(), h),
+                                               QImage::Format_RGB32);
+                        if (backingstore.isNull()) {
+                            state = Error;
+                            return -1;
+                        }
+                         memset(bits, 0, image->byteCount());
+                     }
+                     const int dest_bpl = backingstore.bytesPerLine();
--- a/CVE-2018-19873.patch
+++ b/CVE-2018-19873.patch
@ -0,0 +1,27 @@
+From 621ab8ab59901cc3f9bd98be709929c9eac997a8 Mon Sep 17 00:00:00 2001
+From: Eirik Aavitsland <eirik.aavitsland@qt.io>
+Date: Tue, 4 Sep 2018 11:08:06 +0200
+Subject: [PATCH] bmp image handler: check for out of range image size
+
+Make the decoder fail early to avoid spending time and memory on
+attempting to decode a corrupt image file.
+
+Change-Id: I874e04f3b43122d73f8e58c7a5bcc4a741b68264
+Reviewed-by: Lars Knoll <lars.knoll@qt.io>
+---
+ src/gui/image/qbmphandler.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+Index: qtbase-opensource-src-5.5.1+dfsg/src/gui/image/qbmphandler.cpp
+===================================================================
+--- qtbase-opensource-src-5.5.1+dfsg.orig/src/gui/image/qbmphandler.cpp	2019-02-05 13:20:23.396119556 -0500
+++ qtbase-opensource-src-5.5.1+dfsg/src/gui/image/qbmphandler.cpp	2019-02-05 13:20:23.392119539 -0500
+@@ -173,6 +173,8 @@ static bool read_dib_infoheader(QDataStr
+     if (!(comp == BMP_RGB || (nbits == 4 && comp == BMP_RLE4) ||
+         (nbits == 8 && comp == BMP_RLE8) || ((nbits == 16 || nbits == 32) && comp == BMP_BITFIELDS)))
+          return false;                                // weird compression type
+    if (bi.biWidth < 0 || quint64(bi.biWidth) * qAbs(bi.biHeight) > 16384 * 16384)
+        return false;
+ 
+     return true;
+ }
--- a/qt.spec
+++ b/qt.spec
@ -13,7 +13,7 @@
 Name:           qt
 Epoch:          1
 Version:        4.8.7
-Release:        44
+Release:        45
 Summary:        A software toolkit for developing applications
 License:        (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
 URL:            http://qt-project.org/
@ -75,6 +75,8 @@ Patch42:        qt-everywhere-opensource-src-4.8.6-systemtrayicon.patch
 Patch6000:      CVE-2018-19869.patch
 Patch6001:      CVE-2018-19872.patch
 Patch6002:      CVE-2018-19871.patch
+Patch6003:      CVE-2018-19870.patch
+Patch6004:      CVE-2018-19873.patch

 BuildRequires:  cups-devel desktop-file-utils gcc-c++ libjpeg-devel findutils libmng-devel libtiff-devel pkgconfig pkgconfig(alsa)
 BuildRequires:  pkgconfig(dbus-1) pkgconfig(fontconfig) pkgconfig(glib-2.0) pkgconfig(icu-i18n) openssl-devel pkgconfig(libpng)
@ -441,6 +443,12 @@ fi
 %{_qt4_prefix}/examples/

 %changelog
+* Wed Dec 25 2019 zhouyihang<zhouyihang1@huawei.com> - 1:4.8.7-45
+- Type:cves
+- ID:CVE-2018-19870 CVE-2018-19873
+- SUG:restart
+- DESC: fix CVE-2018-19870 CVE-2018-19873
+
 * Thu Dec 12 2019 shenyangyang<shenyangyang4@huawei.com> - 1:4.8.7-44
 - Type:enhancement
 - ID:NA