diff options
author | A. Wilcox <AWilcox@Wilcox-Tech.com> | 2020-09-17 00:00:34 +0000 |
---|---|---|
committer | A. Wilcox <AWilcox@Wilcox-Tech.com> | 2020-09-17 00:00:34 +0000 |
commit | dafa0ff58975f1b8eacda058b838205164afec4c (patch) | |
tree | b6a8fa6d4abb0f5e5ef9c204bfc9422b0e91aab6 /user/qt5-qtbase/CVE-2020-17507.patch | |
parent | d5f26b5bf56bb6765a31c1a3278822a8c86156e5 (diff) | |
download | packages-dafa0ff58975f1b8eacda058b838205164afec4c.tar.gz packages-dafa0ff58975f1b8eacda058b838205164afec4c.tar.bz2 packages-dafa0ff58975f1b8eacda058b838205164afec4c.tar.xz packages-dafa0ff58975f1b8eacda058b838205164afec4c.zip |
user/qt5: Update to 5.12.9
Diffstat (limited to 'user/qt5-qtbase/CVE-2020-17507.patch')
-rw-r--r-- | user/qt5-qtbase/CVE-2020-17507.patch | 159 |
1 files changed, 159 insertions, 0 deletions
diff --git a/user/qt5-qtbase/CVE-2020-17507.patch b/user/qt5-qtbase/CVE-2020-17507.patch new file mode 100644 index 000000000..126b55c96 --- /dev/null +++ b/user/qt5-qtbase/CVE-2020-17507.patch @@ -0,0 +1,159 @@ +From 5b2f75388424995925a0e45654a0d509b290aaa0 Mon Sep 17 00:00:00 2001 +From: Robert Loehning <robert.loehning@qt.io> +Date: Thu, 9 Jul 2020 13:33:34 +0200 +Subject: [PATCH] Fix buffer overflow + +Fixes: oss-fuzz-23988 +Change-Id: I4efdbfc3c0a96917c0c8224642896088ade99f35 +Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io> +(cherry picked from commit e80be8a43da78b9544f12fbac47e92c7f1f64366) +Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> +--- + src/gui/image/qxpmhandler.cpp | 2 +- + tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm | 1 + + tests/auto/gui/image/qimagereader/tst_qimagereader.cpp | 8 ++++++++ + 3 files changed, 10 insertions(+), 1 deletion(-) + create mode 100644 tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm + +diff --git a/src/gui/image/qxpmhandler.cpp b/src/gui/image/qxpmhandler.cpp +index 17272ffe69b..417dab7ce3f 100644 +--- a/src/gui/image/qxpmhandler.cpp ++++ b/src/gui/image/qxpmhandler.cpp +@@ -973,7 +973,7 @@ static bool read_xpm_body( + } else { + char b[16]; + b[cpp] = '\0'; +- for (x=0; x<w && d<end; x++) { ++ for (x=0; x<w && d+cpp<end; x++) { + memcpy(b, (char *)d, cpp); + *p++ = (uchar)colorMap[xpmHash(b)]; + d += cpp; +diff --git a/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm b/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm +new file mode 100644 +index 00000000000..7e6c1e4ca2e +--- /dev/null ++++ b/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm +@@ -0,0 +1 @@ ++/* XPM "20 8 1 7"" ÿÿ c ÿ" " ÿÿÿÿÿÿÿ " +\ No newline at end of file +diff --git a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp +index 1eee2f273ef..0135e48c7df 100644 +--- a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp ++++ b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp +@@ -167,6 +167,8 @@ private slots: + void devicePixelRatio_data(); + void devicePixelRatio(); + ++ void xpmBufferOverflow(); ++ + private: + QString prefix; + QTemporaryDir m_temporaryDir; +@@ -2002,5 +2004,11 @@ void tst_QImageReader::devicePixelRatio() + QCOMPARE(img.devicePixelRatio(), dpr); + } + ++void tst_QImageReader::xpmBufferOverflow() ++{ ++ // Please note that the overflow only showed when Qt was configured with "-sanitize address". ++ QImageReader(":/images/oss-fuzz-23988.xpm").read(); ++} ++ + QTEST_MAIN(tst_QImageReader) + #include "tst_qimagereader.moc" +-- +2.16.3 + +From 35ecd0b69d58bcc8113afc5e449aef841c73e26c Mon Sep 17 00:00:00 2001 +From: Allan Sandfeld Jensen <allan.jensen@qt.io> +Date: Thu, 23 Jul 2020 11:48:48 +0200 +Subject: [PATCH] Fix buffer overflow in XBM parser + +Avoid parsing over the buffer limit, or interpreting non-hex +as hex. + +This still leaves parsing of lines longer than 300 chars +unreliable + +Change-Id: I1c57a7e530c4380f6f9040b2ec729ccd7dc7a5fb +Reviewed-by: Robert Loehning <robert.loehning@qt.io> +Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io> +(cherry picked from commit c562c1fc19629fb505acd0f6380604840b634211) +Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> +--- + src/gui/image/qxbmhandler.cpp | 4 ++- + .../gui/image/qimagereader/tst_qimagereader.cpp | 37 ++++++++++++++++++++++ + 2 files changed, 40 insertions(+), 1 deletion(-) + +diff --git a/src/gui/image/qxbmhandler.cpp b/src/gui/image/qxbmhandler.cpp +index 7ba44049b48..8c4be4f0eda 100644 +--- a/src/gui/image/qxbmhandler.cpp ++++ b/src/gui/image/qxbmhandler.cpp +@@ -158,7 +158,9 @@ static bool read_xbm_body(QIODevice *device, int w, int h, QImage *outImage) + w = (w+7)/8; // byte width + + while (y < h) { // for all encoded bytes... +- if (p) { // p = "0x.." ++ if (p && p < (buf + readBytes - 3)) { // p = "0x.." ++ if (!isxdigit(p[2]) || !isxdigit(p[3])) ++ return false; + *b++ = hex2byte(p+2); + p += 2; + if (++x == w && ++y < h) { +diff --git a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp +index 0135e48c7df..61b11a77794 100644 +--- a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp ++++ b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp +@@ -168,6 +168,7 @@ private slots: + void devicePixelRatio(); + + void xpmBufferOverflow(); ++ void xbmBufferHandling(); + + private: + QString prefix; +@@ -2010,5 +2011,41 @@ void tst_QImageReader::xpmBufferOverflow() + QImageReader(":/images/oss-fuzz-23988.xpm").read(); + } + ++void tst_QImageReader::xbmBufferHandling() ++{ ++ uint8_t original_buffer[256]; ++ for (int i = 0; i < 256; ++i) ++ original_buffer[i] = i; ++ ++ QImage image(original_buffer, 256, 8, QImage::Format_MonoLSB); ++ image.setColorTable({0xff000000, 0xffffffff}); ++ ++ QByteArray buffer; ++ { ++ QBuffer buf(&buffer); ++ QImageWriter writer(&buf, "xbm"); ++ writer.write(image); ++ } ++ ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++ ++ auto i = buffer.indexOf(','); ++ buffer.insert(i + 1, " "); ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++ buffer.insert(i + 1, " "); ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++ buffer.insert(i + 1, " "); ++#if 0 // Lines longer than 300 chars not supported currently ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++#endif ++ ++ i = buffer.lastIndexOf("\n "); ++ buffer.truncate(i + 1); ++ buffer.append(QByteArray(297, ' ')); ++ buffer.append("0x"); ++ // Only check we get no buffer overflow ++ QImage::fromData(buffer, "xbm"); ++} ++ + QTEST_MAIN(tst_QImageReader) + #include "tst_qimagereader.moc" +-- +2.16.3 + |