From c322f67808bb36c5fea3fbabd30aa242e408fc50 Mon Sep 17 00:00:00 2001 From: Paul Eggleton Date: Wed, 28 May 2014 11:49:30 +0100 Subject: qt4: add patch for GIF denial-of-service vulnerability For further details, see: https://bugreports.qt-project.org/browse/QTBUG-38367 Signed-off-by: Paul Eggleton Signed-off-by: Saul Wold Signed-off-by: Richard Purdie --- meta/recipes-qt/qt4/qt4-4.8.6.inc | 1 + .../0028-Don-t-crash-on-broken-GIF-images.patch | 47 ++++++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 meta/recipes-qt/qt4/qt4-4.8.6/0028-Don-t-crash-on-broken-GIF-images.patch (limited to 'meta/recipes-qt') diff --git a/meta/recipes-qt/qt4/qt4-4.8.6.inc b/meta/recipes-qt/qt4/qt4-4.8.6.inc index c4dd36f67c..ae6692b50a 100644 --- a/meta/recipes-qt/qt4/qt4-4.8.6.inc +++ b/meta/recipes-qt/qt4/qt4-4.8.6.inc @@ -21,6 +21,7 @@ SRC_URI = "http://download.qt-project.org/official_releases/qt/4.8/${PV}/qt-ever file://0018-configure-make-pulseaudio-a-configurable-option.patch \ file://0019-Fixes-for-gcc-4.7.0-particularly-on-qemux86.patch \ file://0027-tools.pro-disable-qmeegographicssystemhelper.patch \ + file://0028-Don-t-crash-on-broken-GIF-images.patch \ file://g++.conf \ file://linux.conf \ " diff --git a/meta/recipes-qt/qt4/qt4-4.8.6/0028-Don-t-crash-on-broken-GIF-images.patch b/meta/recipes-qt/qt4/qt4-4.8.6/0028-Don-t-crash-on-broken-GIF-images.patch new file mode 100644 index 0000000000..906e2fdfc8 --- /dev/null +++ b/meta/recipes-qt/qt4/qt4-4.8.6/0028-Don-t-crash-on-broken-GIF-images.patch @@ -0,0 +1,47 @@ +From f1b76c126c476c155af8c404b97c42cd1a709333 Mon Sep 17 00:00:00 2001 +From: Lars Knoll +Date: Thu, 24 Apr 2014 15:33:27 +0200 +Subject: [PATCH] Don't crash on broken GIF images + +Broken GIF images could set invalid width and height +values inside the image, leading to Qt creating a null +QImage for it. In that case we need to abort decoding +the image and return an error. + +Initial patch by Rich Moore. + +Backport of Id82a4036f478bd6e49c402d6598f57e7e5bb5e1e from Qt 5 + +Task-number: QTBUG-38367 +Change-Id: I0680740018aaa8356d267b7af3f01fac3697312a +Security-advisory: CVE-2014-0190 +Reviewed-by: Richard J. Moore + +Upstream-Status: Backport +Signed-off-by: Paul Eggleton + +--- + src/gui/image/qgifhandler.cpp | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/gui/image/qgifhandler.cpp b/src/gui/image/qgifhandler.cpp +index 3324f04..5199dd3 100644 +--- a/src/gui/image/qgifhandler.cpp ++++ b/src/gui/image/qgifhandler.cpp +@@ -359,6 +359,13 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length, + memset(bits, 0, image->byteCount()); + } + ++ // Check if the previous attempt to create the image failed. If it ++ // did then the image is broken and we should give up. ++ if (image->isNull()) { ++ state = Error; ++ return -1; ++ } ++ + disposePrevious(image); + disposed = false; + +-- +1.9.3 + -- cgit v1.2.3