author: Raphael Kubo da Costa <rakuco@FreeBSD.org> 2015-04-14 08:34:41 +0000
committer: Raphael Kubo da Costa <rakuco@FreeBSD.org> 2015-04-14 08:34:41 +0000
commit: f93780a7ecf52e139590e119bd23433b74157cb2 (patch)
tree: 2bea38df371da00c88cc7d1e600deac8d812e6b7 /x11-toolkits/qt4-gui
parent: 19d9aa2b810693863c2415a4a8e2949347b0f243 (diff)
2 files changed, 54 insertions, 1 deletions
diff --git a/x11-toolkits/qt4-gui/Makefile b/x11-toolkits/qt4-gui/Makefile
index 7d69f97889ca..6d328c0c141f 100644
--- a/x11-toolkits/qt4-gui/Makefile
+++ b/x11-toolkits/qt4-gui/Makefile
@@ -3,7 +3,7 @@
 
 PORTNAME=	gui
 DISTVERSION=	${QT4_VERSION}
-PORTREVISION=	4
+PORTREVISION=	5
 CATEGORIES=	x11-toolkits
 PKGNAMEPREFIX=	qt4-
 
diff --git a/x11-toolkits/qt4-gui/files/patch-CVE-2015-1859 b/x11-toolkits/qt4-gui/files/patch-CVE-2015-1859
new file mode 100644
index 000000000000..d03c34d59b00
--- /dev/null
+++ b/x11-toolkits/qt4-gui/files/patch-CVE-2015-1859
@@ -0,0 +1,53 @@
+commit 3e55cd6dc467303a3c35312e9fcb255c2c048b32
+Author: Eirik Aavitsland <eirik.aavitsland@theqtcompany.com>
+Date:   Wed Mar 11 13:34:01 2015 +0100
+
+    Fixes crash in bmp and ico image decoding
+    
+    Fuzzing test revealed that for certain malformed bmp and ico files,
+    the handler would segfault.
+    
+    Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe
+    (cherry picked from qtbase/2adbbae5432aa9d8cc41c6fcf55c2e310d2d4078)
+    Reviewed-by: Richard J. Moore <rich@kde.org>
+
+--- src/gui/image/qbmphandler.cpp
++++ src/gui/image/qbmphandler.cpp
+@@ -478,12 +478,6 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
+                             p = data + (h-y-1)*bpl;
+                             break;
+                         case 2:                        // delta (jump)
+-                            // Protection
+-                            if ((uint)x >= (uint)w)
+-                                x = w-1;
+-                            if ((uint)y >= (uint)h)
+-                                y = h-1;
+-
+                             {
+                                 quint8 tmp;
+                                 d->getChar((char *)&tmp);
+@@ -491,6 +485,13 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
+                                 d->getChar((char *)&tmp);
+                                 y += tmp;
+                             }
++
++                            // Protection
++                            if ((uint)x >= (uint)w)
++                                x = w-1;
++                            if ((uint)y >= (uint)h)
++                                y = h-1;
++
+                             p = data + (h-y-1)*bpl + x;
+                             break;
+                         default:                // absolute mode
+--- src/plugins/imageformats/ico/qicohandler.cpp
++++ src/plugins/imageformats/ico/qicohandler.cpp
+@@ -571,7 +571,7 @@ QImage ICOReader::iconAt(int index)
+                 QImage::Format format = QImage::Format_ARGB32;
+                 if (icoAttrib.nbits == 24)
+                     format = QImage::Format_RGB32;
+-                else if (icoAttrib.ncolors == 2)
++                else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1)
+                     format = QImage::Format_Mono;
+                 else if (icoAttrib.ncolors > 0)
+                     format = QImage::Format_Indexed8;
author	Raphael Kubo da Costa <rakuco@FreeBSD.org>	2015-04-14 08:34:41 +0000
committer	Raphael Kubo da Costa <rakuco@FreeBSD.org>	2015-04-14 08:34:41 +0000
commit	f93780a7ecf52e139590e119bd23433b74157cb2 (patch)
tree	2bea38df371da00c88cc7d1e600deac8d812e6b7 /x11-toolkits/qt4-gui
parent	19d9aa2b810693863c2415a4a8e2949347b0f243 (diff)