From 56bd759df1d0c750a065b8c845e93d5dfa6b549d Mon Sep 17 00:00:00 2001 From: "Robin H. Johnson" Date: Sat, 8 Aug 2015 13:49:04 -0700 Subject: proj/gentoo: Initial commit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit represents a new era for Gentoo: Storing the gentoo-x86 tree in Git, as converted from CVS. This commit is the start of the NEW history. Any historical data is intended to be grafted onto this point. Creation process: 1. Take final CVS checkout snapshot 2. Remove ALL ChangeLog* files 3. Transform all Manifests to thin 4. Remove empty Manifests 5. Convert all stale $Header$/$Id$ CVS keywords to non-expanded Git $Id$ 5.1. Do not touch files with -kb/-ko keyword flags. Signed-off-by: Robin H. Johnson X-Thanks: Alec Warner - did the GSoC 2006 migration tests X-Thanks: Robin H. Johnson - infra guy, herding this project X-Thanks: Nguyen Thai Ngoc Duy - Former Gentoo developer, wrote Git features for the migration X-Thanks: Brian Harring - wrote much python to improve cvs2svn X-Thanks: Rich Freeman - validation scripts X-Thanks: Patrick Lauer - Gentoo dev, running new 2014 work in migration X-Thanks: Michał Górny - scripts, QA, nagging X-Thanks: All of other Gentoo developers - many ideas and lots of paint on the bikeshed --- dev-qt/qtgui/files/qtgui-4.7.3-cups.patch | 84 ++++++++++++++++++++++ dev-qt/qtgui/files/qtgui-4.8.5-CVE-2015-0295.patch | 40 +++++++++++ ...4.8.5-cleanlooks-floating-point-exception.patch | 38 ++++++++++ .../qtgui-4.8.5-disable-gtk-theme-check.patch | 22 ++++++ ...gui-4.8.5-dont-crash-on-broken-GIF-images.patch | 43 +++++++++++ .../files/qtgui-4.8.5-keyboard-shortcuts.patch | 41 +++++++++++ dev-qt/qtgui/files/qtgui-4.8.5-libjpeg-9.patch | 84 ++++++++++++++++++++++ .../qtgui/files/qtgui-4.8.5-qclipboard-delay.patch | 33 +++++++++ dev-qt/qtgui/files/qtgui-4.8.6-CVE-2015-1858.patch | 63 ++++++++++++++++ dev-qt/qtgui/files/qtgui-4.8.6-CVE-2015-1860.patch | 31 ++++++++ 10 files changed, 479 insertions(+) create mode 100644 dev-qt/qtgui/files/qtgui-4.7.3-cups.patch create mode 100644 dev-qt/qtgui/files/qtgui-4.8.5-CVE-2015-0295.patch create mode 100644 dev-qt/qtgui/files/qtgui-4.8.5-cleanlooks-floating-point-exception.patch create mode 100644 dev-qt/qtgui/files/qtgui-4.8.5-disable-gtk-theme-check.patch create mode 100644 dev-qt/qtgui/files/qtgui-4.8.5-dont-crash-on-broken-GIF-images.patch create mode 100644 dev-qt/qtgui/files/qtgui-4.8.5-keyboard-shortcuts.patch create mode 100644 dev-qt/qtgui/files/qtgui-4.8.5-libjpeg-9.patch create mode 100644 dev-qt/qtgui/files/qtgui-4.8.5-qclipboard-delay.patch create mode 100644 dev-qt/qtgui/files/qtgui-4.8.6-CVE-2015-1858.patch create mode 100644 dev-qt/qtgui/files/qtgui-4.8.6-CVE-2015-1860.patch (limited to 'dev-qt/qtgui/files') diff --git a/dev-qt/qtgui/files/qtgui-4.7.3-cups.patch b/dev-qt/qtgui/files/qtgui-4.7.3-cups.patch new file mode 100644 index 000000000000..e0305e11b89a --- /dev/null +++ b/dev-qt/qtgui/files/qtgui-4.7.3-cups.patch @@ -0,0 +1,84 @@ +diff -ur qt-everywhere-opensource-src-4.6.2/src/gui/dialogs/qprintdialog_unix.cpp qt-everywhere-opensource-src-4.6.2-cups/src/gui/dialogs/qprintdialog_unix.cpp +--- qt-everywhere-opensource-src-4.6.2/src/gui/dialogs/qprintdialog_unix.cpp 2010-02-11 16:55:22.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2-cups/src/gui/dialogs/qprintdialog_unix.cpp 2010-02-28 04:34:16.000000000 +0100 +@@ -569,6 +569,32 @@ + void QPrintDialogPrivate::selectPrinter(QCUPSSupport *cups) + { + options.duplex->setEnabled(cups && cups->ppdOption("Duplex")); ++ ++ if (cups) { ++ const ppd_option_t* duplex = cups->ppdOption("Duplex"); ++ if (duplex) { ++ // copy default ppd duplex to qt dialog ++ if (qstrcmp(duplex->defchoice, "DuplexTumble") == 0) ++ options.duplexShort->setChecked(true); ++ else if (qstrcmp(duplex->defchoice, "DuplexNoTumble") == 0) ++ options.duplexLong->setChecked(true); ++ else ++ options.noDuplex->setChecked(true); ++ } ++ ++ if (cups->currentPPD()) { ++ // set default color ++ if (cups->currentPPD()->color_device) ++ options.color->setChecked(true); ++ else ++ options.grayscale->setChecked(true); ++ } ++ ++ // set collation ++ const ppd_option_t *collate = cups->ppdOption("Collate"); ++ if (collate) ++ options.collate->setChecked(qstrcmp(collate->defchoice, "True")==0); ++ } + } + #endif + +diff -ur qt-everywhere-opensource-src-4.6.2/src/gui/painting/qprinter.cpp qt-everywhere-opensource-src-4.6.2-cups/src/gui/painting/qprinter.cpp +--- qt-everywhere-opensource-src-4.6.2/src/gui/painting/qprinter.cpp 2010-02-11 16:55:22.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2-cups/src/gui/painting/qprinter.cpp 2010-02-28 04:55:15.000000000 +0100 +@@ -627,6 +627,44 @@ + && d_ptr->paintEngine->type() != QPaintEngine::MacPrinter) { + setOutputFormat(QPrinter::PdfFormat); + } ++ ++#if !defined(QT_NO_CUPS) && !defined(QT_NO_LIBRARY) ++ // fill in defaults from ppd file ++ QCUPSSupport cups; ++ ++ int printernum = -1; ++ for (int i = 0; i < cups.availablePrintersCount(); i++) { ++ if (printerName().toLocal8Bit() == cups.availablePrinters()[i].name) ++ printernum = i; ++ } ++ if (printernum >= 0) { ++ cups.setCurrentPrinter(printernum); ++ ++ const ppd_option_t* duplex = cups.ppdOption("Duplex"); ++ if (duplex) { ++ // copy default ppd duplex to qt dialog ++ if (qstrcmp(duplex->defchoice, "DuplexTumble") == 0) ++ setDuplex(DuplexShortSide); ++ else if (qstrcmp(duplex->defchoice, "DuplexNoTumble") == 0) ++ setDuplex(DuplexLongSide); ++ else ++ setDuplex(DuplexNone); ++ } ++ ++ if (cups.currentPPD()) { ++ // set default color ++ if (cups.currentPPD()->color_device) ++ setColorMode(Color); ++ else ++ setColorMode(GrayScale); ++ } ++ ++ // set collation ++ const ppd_option_t *collate = cups.ppdOption("Collate"); ++ if (collate) ++ setCollateCopies(qstrcmp(collate->defchoice, "True")==0); ++ } ++#endif + } + + /*! diff --git a/dev-qt/qtgui/files/qtgui-4.8.5-CVE-2015-0295.patch b/dev-qt/qtgui/files/qtgui-4.8.5-CVE-2015-0295.patch new file mode 100644 index 000000000000..3ac87d8dc369 --- /dev/null +++ b/dev-qt/qtgui/files/qtgui-4.8.5-CVE-2015-0295.patch @@ -0,0 +1,40 @@ +From e50aa2252cdd5cb53eef7d8c4503c7edff634f68 Mon Sep 17 00:00:00 2001 +From: "Richard J. Moore" +Date: Tue, 24 Feb 2015 19:02:35 +0000 +Subject: [PATCH] Fix a division by zero when processing malformed BMP files. + +This fixes a division by 0 when processing a maliciously crafted BMP +file. No impact beyond DoS. + +Backport of 661f6bfd032dacc62841037732816a583640e187 + +Task-number: QTBUG-44547 +Change-Id: I43f06e752b11cb50669101460902a82b885ae618 +Reviewed-by: Thiago Macieira +--- + src/gui/image/qbmphandler.cpp | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp +index b22e842..30fa9e0 100644 +--- a/src/gui/image/qbmphandler.cpp ++++ b/src/gui/image/qbmphandler.cpp +@@ -319,10 +319,16 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int + } + } else if (comp == BMP_BITFIELDS && (nbits == 16 || nbits == 32)) { + red_shift = calc_shift(red_mask); ++ if (((red_mask >> red_shift) + 1) == 0) ++ return false; + red_scale = 256 / ((red_mask >> red_shift) + 1); + green_shift = calc_shift(green_mask); ++ if (((green_mask >> green_shift) + 1) == 0) ++ return false; + green_scale = 256 / ((green_mask >> green_shift) + 1); + blue_shift = calc_shift(blue_mask); ++ if (((blue_mask >> blue_shift) + 1) == 0) ++ return false; + blue_scale = 256 / ((blue_mask >> blue_shift) + 1); + } else if (comp == BMP_RGB && (nbits == 24 || nbits == 32)) { + blue_mask = 0x000000ff; +-- +2.0.5 \ No newline at end of file diff --git a/dev-qt/qtgui/files/qtgui-4.8.5-cleanlooks-floating-point-exception.patch b/dev-qt/qtgui/files/qtgui-4.8.5-cleanlooks-floating-point-exception.patch new file mode 100644 index 000000000000..a54efef0d78b --- /dev/null +++ b/dev-qt/qtgui/files/qtgui-4.8.5-cleanlooks-floating-point-exception.patch @@ -0,0 +1,38 @@ +From 0db65e148dcb4d5e5b98475f207d41a287c401a1 Mon Sep 17 00:00:00 2001 +From: Alexandre Rostovtsev +Date: Wed, 28 May 2014 00:22:55 -0400 +Subject: [PATCH] Cleanlooks style: Fix floating point exception + +In QCleanlooksStyle::drawControl, if indeterminate == true and +rect.width() == 4, we will end up with slideWidth of zero, and +take a mod by zero when calculating the value of step. + +This causes a crash in Quassel 0.10; see +https://bugs.gentoo.org/show_bug.cgi?id=507124 + +Instead, calculate slideWidth based on max(width, minWidth) where +minWidth was already set as 4, ensuring that slideWidth >= 2. + +Change-Id: I6678789105e359fa26c99409f449cad0ba3bd0ae +(cherry picked from qtstyleplugins/8ff2ac6035fb1d01f5c0054ba14afb949410e3a7) +Reviewed-by: Giuseppe D'Angelo +--- + src/gui/styles/qcleanlooksstyle.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/gui/styles/qcleanlooksstyle.cpp b/src/gui/styles/qcleanlooksstyle.cpp +index 504734a..3f665ca 100644 +--- a/src/gui/styles/qcleanlooksstyle.cpp ++++ b/src/gui/styles/qcleanlooksstyle.cpp +@@ -1773,7 +1773,7 @@ void QCleanlooksStyle::drawControl(ControlElement element, const QStyleOption *o + } + } else { + Q_D(const QCleanlooksStyle); +- int slideWidth = ((rect.width() - 4) * 2) / 3; ++ int slideWidth = (qMax(rect.width() - 4, minWidth) * 2) / 3; + int step = ((d->animateStep * slideWidth) / d->animationFps) % slideWidth; + if ((((d->animateStep * slideWidth) / d->animationFps) % (2 * slideWidth)) >= slideWidth) + step = slideWidth - step; +-- +2.0.0 + diff --git a/dev-qt/qtgui/files/qtgui-4.8.5-disable-gtk-theme-check.patch b/dev-qt/qtgui/files/qtgui-4.8.5-disable-gtk-theme-check.patch new file mode 100644 index 000000000000..9a9f773537e4 --- /dev/null +++ b/dev-qt/qtgui/files/qtgui-4.8.5-disable-gtk-theme-check.patch @@ -0,0 +1,22 @@ +diff -up qt-everywhere-opensource-src-4.8.5/src/gui/styles/qgtkstyle_p.cpp.qgtkstyle_disable_gtk_theme_check qt-everywhere-opensource-src-4.8.5/src/gui/styles/qgtkstyle_p.cpp +--- qt-everywhere-opensource-src-4.8.5/src/gui/styles/qgtkstyle_p.cpp.qgtkstyle_disable_gtk_theme_check 2013-06-09 16:28:22.938840346 -0500 ++++ qt-everywhere-opensource-src-4.8.5/src/gui/styles/qgtkstyle_p.cpp 2013-06-09 17:03:01.781125479 -0500 +@@ -503,18 +503,6 @@ void QGtkStylePrivate::initGtkWidgets() + return; + } + +- static QString themeName; +- if (!gtkWidgetMap()->contains("GtkWindow") && themeName.isEmpty()) { +- themeName = getThemeName(); +- +- if (themeName == QLS("Qt") || themeName == QLS("Qt4")) { +- // Due to namespace conflicts with Qt3 and obvious recursion with Qt4, +- // we cannot support the GTK_Qt Gtk engine +- qWarning("QGtkStyle cannot be used together with the GTK_Qt engine."); +- return; +- } +- } +- + if (QGtkStylePrivate::gtk_init) { + // Gtk will set the Qt error handler so we have to reset it afterwards + x11ErrorHandler qt_x_errhandler = XSetErrorHandler(0); diff --git a/dev-qt/qtgui/files/qtgui-4.8.5-dont-crash-on-broken-GIF-images.patch b/dev-qt/qtgui/files/qtgui-4.8.5-dont-crash-on-broken-GIF-images.patch new file mode 100644 index 000000000000..d800caf97421 --- /dev/null +++ b/dev-qt/qtgui/files/qtgui-4.8.5-dont-crash-on-broken-GIF-images.patch @@ -0,0 +1,43 @@ +From f1b76c126c476c155af8c404b97c42cd1a709333 Mon Sep 17 00:00:00 2001 +From: Lars Knoll +Date: Thu, 24 Apr 2014 15:33:27 +0200 +Subject: Don't crash on broken GIF images + +Broken GIF images could set invalid width and height +values inside the image, leading to Qt creating a null +QImage for it. In that case we need to abort decoding +the image and return an error. + +Initial patch by Rich Moore. + +Backport of Id82a4036f478bd6e49c402d6598f57e7e5bb5e1e from Qt 5 + +Task-number: QTBUG-38367 +Change-Id: I0680740018aaa8356d267b7af3f01fac3697312a +Security-advisory: CVE-2014-0190 +Reviewed-by: Richard J. Moore +--- + src/gui/image/qgifhandler.cpp | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/gui/image/qgifhandler.cpp b/src/gui/image/qgifhandler.cpp +index 3324f04..5199dd3 100644 +--- a/src/gui/image/qgifhandler.cpp ++++ b/src/gui/image/qgifhandler.cpp +@@ -359,6 +359,13 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length, + memset(bits, 0, image->byteCount()); + } + ++ // Check if the previous attempt to create the image failed. If it ++ // did then the image is broken and we should give up. ++ if (image->isNull()) { ++ state = Error; ++ return -1; ++ } ++ + disposePrevious(image); + disposed = false; + +-- +1.9.3 + diff --git a/dev-qt/qtgui/files/qtgui-4.8.5-keyboard-shortcuts.patch b/dev-qt/qtgui/files/qtgui-4.8.5-keyboard-shortcuts.patch new file mode 100644 index 000000000000..c975ebfaca2d --- /dev/null +++ b/dev-qt/qtgui/files/qtgui-4.8.5-keyboard-shortcuts.patch @@ -0,0 +1,41 @@ +From 0c03af0d4d928bdbb32b09eedb1dba3ce59e5278 Mon Sep 17 00:00:00 2001 +From: Gatis Paeglis +Date: Sat, 31 Aug 2013 21:22:47 +0200 +Subject: [PATCH] Revert "QTBUG-15319: fix shortcuts with secondary Xkb + layout." + +The change which attempted to fix QTBUG-15319 broke keyboard +shortcuts for non latin keyboard layouts. + +This patch reverts QTBUG-15319 (f45cdeda8) since it caused a +regression. + +Task-number: QTBUG-32908 + +Change-Id: I47d7984fa7986d5218d1f3ff1fc36d2ec67c9ba7 +Reviewed-by: David Faure +--- + src/gui/kernel/qkeymapper_x11.cpp | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/src/gui/kernel/qkeymapper_x11.cpp b/src/gui/kernel/qkeymapper_x11.cpp +index 005ff3f..7daa41d 100644 +--- a/src/gui/kernel/qkeymapper_x11.cpp ++++ b/src/gui/kernel/qkeymapper_x11.cpp +@@ -282,12 +282,9 @@ QList QKeyMapperPrivate::possibleKeysXKB(QKeyEvent *event) + + // first, translate key only using lock modifiers (there are no Qt equivalents for these, so we must + // always use them when determining the baseKeySym) +- // Note: the Xkb group to be used for the conversion keycode->keysym has to be given to +- // XkbLookupKeySym(). This information is contained in the bits 8 to 15 of xmodifiers. +- // See https://bugreports.qt-project.org/browse/QTBUG-15319 . + KeySym baseKeySym; + uint consumedModifiers; +- if (!XkbLookupKeySym(X11->display, xkeycode, (xmodifiers & (0xff00 | LockMask | qt_num_lock_mask)), ++ if (!XkbLookupKeySym(X11->display, xkeycode, (xmodifiers & (LockMask | qt_num_lock_mask)), + &consumedModifiers, &baseKeySym)) + return QList(); + +-- +1.8.3.2 + diff --git a/dev-qt/qtgui/files/qtgui-4.8.5-libjpeg-9.patch b/dev-qt/qtgui/files/qtgui-4.8.5-libjpeg-9.patch new file mode 100644 index 000000000000..47d35e232499 --- /dev/null +++ b/dev-qt/qtgui/files/qtgui-4.8.5-libjpeg-9.patch @@ -0,0 +1,84 @@ +From 2a9ea11f4dea51f9e75036aab8e7a23f0eb4bd1f Mon Sep 17 00:00:00 2001 +From: aavit +Date: Tue, 10 Sep 2013 11:46:51 +0200 +Subject: Compilation fix for libjpeg release 9 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In the latest libjpeg version, the "boolean" type is changed so that +true and false no longer can be used instead of TRUE and FALSE. + +Also, purge some ancient code remains meant to support a now defunct +OS´s idea about the boolean type. + +Task-number: QTBUG-33166 +Change-Id: Iebbdf300cfdc22775954de65f985358424ed2b49 +Reviewed-by: Gunnar Sletta +(cherry picked from qtbase/fad6aa619bf6eb048821a58065433f6b598c10e4) +--- + src/gui/image/qjpeghandler.cpp | 27 +++++---------------------- + 1 file changed, 5 insertions(+), 22 deletions(-) + +diff --git a/src/gui/image/qjpeghandler.cpp b/src/gui/image/qjpeghandler.cpp +index a8700b7..ba5c469 100644 +--- a/src/gui/image/qjpeghandler.cpp ++++ b/src/gui/image/qjpeghandler.cpp +@@ -157,11 +157,7 @@ static boolean qt_fill_input_buffer(j_decompress_ptr cinfo) + } else { + src->bytes_in_buffer = num_read; + } +-#if defined(Q_OS_UNIXWARE) +- return B_TRUE; +-#else +- return true; +-#endif ++ return TRUE; + } + + static void qt_skip_input_data(j_decompress_ptr cinfo, long num_bytes) +@@ -489,11 +485,7 @@ static boolean qt_empty_output_buffer(j_compress_ptr cinfo) + dest->next_output_byte = dest->buffer; + dest->free_in_buffer = max_buf; + +-#if defined(Q_OS_UNIXWARE) +- return B_TRUE; +-#else +- return true; +-#endif ++ return TRUE; + } + + static void qt_term_destination(j_compress_ptr cinfo) +@@ -584,13 +576,8 @@ static bool write_jpeg_image(const QImage &image, QIODevice *device, int sourceQ + + + int quality = sourceQuality >= 0 ? qMin(sourceQuality,100) : 75; +-#if defined(Q_OS_UNIXWARE) +- jpeg_set_quality(&cinfo, quality, B_TRUE /* limit to baseline-JPEG values */); +- jpeg_start_compress(&cinfo, B_TRUE); +-#else +- jpeg_set_quality(&cinfo, quality, true /* limit to baseline-JPEG values */); +- jpeg_start_compress(&cinfo, true); +-#endif ++ jpeg_set_quality(&cinfo, quality, TRUE /* limit to baseline-JPEG values */); ++ jpeg_start_compress(&cinfo, TRUE); + + row_pointer[0] = new uchar[cinfo.image_width*cinfo.input_components]; + int w = cinfo.image_width; +@@ -751,11 +738,7 @@ bool QJpegHandlerPrivate::readJpegHeader(QIODevice *device) + err.error_exit = my_error_exit; + + if (!setjmp(err.setjmp_buffer)) { +- #if defined(Q_OS_UNIXWARE) +- (void) jpeg_read_header(&info, B_TRUE); +- #else +- (void) jpeg_read_header(&info, true); +- #endif ++ (void) jpeg_read_header(&info, TRUE); + + int width = 0; + int height = 0; +-- +2.0.0 + diff --git a/dev-qt/qtgui/files/qtgui-4.8.5-qclipboard-delay.patch b/dev-qt/qtgui/files/qtgui-4.8.5-qclipboard-delay.patch new file mode 100644 index 000000000000..d46f8c541872 --- /dev/null +++ b/dev-qt/qtgui/files/qtgui-4.8.5-qclipboard-delay.patch @@ -0,0 +1,33 @@ +From a83ddc5212736f89a0b94667c495494fe6861d63 Mon Sep 17 00:00:00 2001 +From: Michael Palimaka +Date: Mon, 16 Jun 2014 23:52:24 +1000 +Subject: Fix delay with QClipboard and useEventLoop. + +This manifests when using LibreOffice with KDE integration. When KFileDialog is +open, the clipboard is repeatedly polled causing a visible delay since using +QClipboard in "useEventLoop" mode adds 50ms delay to every single clipboard +fetch. + +Change-Id: Id30cda7b983ae7c949fa270d04f772fa44fc21cd +Task-number: QTBUG-38585 +--- + src/gui/kernel/qclipboard_x11.cpp | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/gui/kernel/qclipboard_x11.cpp b/src/gui/kernel/qclipboard_x11.cpp +index 14bf088..5f442b9 100644 +--- a/src/gui/kernel/qclipboard_x11.cpp ++++ b/src/gui/kernel/qclipboard_x11.cpp +@@ -548,7 +548,8 @@ bool QX11Data::clipboardWaitForEvent(Window win, int type, XEvent *event, int ti + return false; + + XSync(X11->display, false); +- usleep(50000); ++ if (!XPending(X11->display)) ++ usleep(5000); + + now.start(); + +-- +2.0.0 + diff --git a/dev-qt/qtgui/files/qtgui-4.8.6-CVE-2015-1858.patch b/dev-qt/qtgui/files/qtgui-4.8.6-CVE-2015-1858.patch new file mode 100644 index 000000000000..c1aac444a644 --- /dev/null +++ b/dev-qt/qtgui/files/qtgui-4.8.6-CVE-2015-1858.patch @@ -0,0 +1,63 @@ +From 3e55cd6dc467303a3c35312e9fcb255c2c048b32 Mon Sep 17 00:00:00 2001 +From: Eirik Aavitsland +Date: Wed, 11 Mar 2015 13:34:01 +0100 +Subject: Fixes crash in bmp and ico image decoding + +Fuzzing test revealed that for certain malformed bmp and ico files, +the handler would segfault. + +Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe +(cherry picked from qtbase/2adbbae5432aa9d8cc41c6fcf55c2e310d2d4078) +Reviewed-by: Richard J. Moore +--- + src/gui/image/qbmphandler.cpp | 13 +++++++------ + src/plugins/imageformats/ico/qicohandler.cpp | 2 +- + 2 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp +index 30fa9e0..17a880b 100644 +--- a/src/gui/image/qbmphandler.cpp ++++ b/src/gui/image/qbmphandler.cpp +@@ -478,12 +478,6 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int + p = data + (h-y-1)*bpl; + break; + case 2: // delta (jump) +- // Protection +- if ((uint)x >= (uint)w) +- x = w-1; +- if ((uint)y >= (uint)h) +- y = h-1; +- + { + quint8 tmp; + d->getChar((char *)&tmp); +@@ -491,6 +485,13 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int + d->getChar((char *)&tmp); + y += tmp; + } ++ ++ // Protection ++ if ((uint)x >= (uint)w) ++ x = w-1; ++ if ((uint)y >= (uint)h) ++ y = h-1; ++ + p = data + (h-y-1)*bpl + x; + break; + default: // absolute mode +diff --git a/src/plugins/imageformats/ico/qicohandler.cpp b/src/plugins/imageformats/ico/qicohandler.cpp +index 1a88605..3c34765 100644 +--- a/src/plugins/imageformats/ico/qicohandler.cpp ++++ b/src/plugins/imageformats/ico/qicohandler.cpp +@@ -571,7 +571,7 @@ QImage ICOReader::iconAt(int index) + QImage::Format format = QImage::Format_ARGB32; + if (icoAttrib.nbits == 24) + format = QImage::Format_RGB32; +- else if (icoAttrib.ncolors == 2) ++ else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1) + format = QImage::Format_Mono; + else if (icoAttrib.ncolors > 0) + format = QImage::Format_Indexed8; +-- +cgit v0.11.0 + diff --git a/dev-qt/qtgui/files/qtgui-4.8.6-CVE-2015-1860.patch b/dev-qt/qtgui/files/qtgui-4.8.6-CVE-2015-1860.patch new file mode 100644 index 000000000000..d881db8d5b86 --- /dev/null +++ b/dev-qt/qtgui/files/qtgui-4.8.6-CVE-2015-1860.patch @@ -0,0 +1,31 @@ +From a1cf194c54be57d6ab55dfd26b9562a60532208e Mon Sep 17 00:00:00 2001 +From: Eirik Aavitsland +Date: Wed, 11 Mar 2015 09:00:41 +0100 +Subject: Fixes crash in gif image decoder + +Fuzzing test revealed that for certain malformed gif files, +qgifhandler would segfault. + +Change-Id: I5bb6f60e1c61849e0d8c735edc3869945e5331c1 +(cherry picked from qtbase/ea2c5417fcd374302f5019e67f72af5facbd29f6) +Reviewed-by: Richard J. Moore +--- + src/gui/image/qgifhandler.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/gui/image/qgifhandler.cpp b/src/gui/image/qgifhandler.cpp +index 5199dd3..49aa2a6 100644 +--- a/src/gui/image/qgifhandler.cpp ++++ b/src/gui/image/qgifhandler.cpp +@@ -944,6 +944,8 @@ void QGIFFormat::fillRect(QImage *image, int col, int row, int w, int h, QRgb co + + void QGIFFormat::nextY(unsigned char *bits, int bpl) + { ++ if (out_of_bounds) ++ return; + int my; + switch (interlace) { + case 0: // Non-interlaced +-- +cgit v0.11.0 + -- cgit v1.2.3-65-gdbad