[qt] DoS vulnerability in the BMP image handler (CVE-2015-0295)
Rex Dieter
rdieter at fedoraproject.org
Fri Feb 27 14:28:23 UTC 2015
commit aeb79bb5436c3452e01c34dca889664d5ef420cd
Author: Rex Dieter <rdieter at math.unl.edu>
Date: Fri Feb 27 08:28:21 2015 -0600
DoS vulnerability in the BMP image handler (CVE-2015-0295)
...ion-by-zero-when-processing-malformed-BMP.patch | 42 ++++++++++++++++++++++
qt.spec | 9 ++++-
2 files changed, 50 insertions(+), 1 deletion(-)
---
diff --git a/0137-Fix-a-division-by-zero-when-processing-malformed-BMP.patch b/0137-Fix-a-division-by-zero-when-processing-malformed-BMP.patch
new file mode 100644
index 0000000..ab2293b
--- /dev/null
+++ b/0137-Fix-a-division-by-zero-when-processing-malformed-BMP.patch
@@ -0,0 +1,42 @@
+From e50aa2252cdd5cb53eef7d8c4503c7edff634f68 Mon Sep 17 00:00:00 2001
+From: "Richard J. Moore" <rich at kde.org>
+Date: Tue, 24 Feb 2015 19:02:35 +0000
+Subject: [PATCH 137/138] Fix a division by zero when processing malformed BMP
+ files.
+
+This fixes a division by 0 when processing a maliciously crafted BMP
+file. No impact beyond DoS.
+
+Backport of 661f6bfd032dacc62841037732816a583640e187
+
+Task-number: QTBUG-44547
+Change-Id: I43f06e752b11cb50669101460902a82b885ae618
+Reviewed-by: Thiago Macieira <thiago.macieira at intel.com>
+---
+ src/gui/image/qbmphandler.cpp | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
+index b22e842..30fa9e0 100644
+--- a/src/gui/image/qbmphandler.cpp
++++ b/src/gui/image/qbmphandler.cpp
+@@ -319,10 +319,16 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
+ }
+ } else if (comp == BMP_BITFIELDS && (nbits == 16 || nbits == 32)) {
+ red_shift = calc_shift(red_mask);
++ if (((red_mask >> red_shift) + 1) == 0)
++ return false;
+ red_scale = 256 / ((red_mask >> red_shift) + 1);
+ green_shift = calc_shift(green_mask);
++ if (((green_mask >> green_shift) + 1) == 0)
++ return false;
+ green_scale = 256 / ((green_mask >> green_shift) + 1);
+ blue_shift = calc_shift(blue_mask);
++ if (((blue_mask >> blue_shift) + 1) == 0)
++ return false;
+ blue_scale = 256 / ((blue_mask >> blue_shift) + 1);
+ } else if (comp == BMP_RGB && (nbits == 24 || nbits == 32)) {
+ blue_mask = 0x000000ff;
+--
+1.9.3
+
diff --git a/qt.spec b/qt.spec
index 69544bd..f499787 100644
--- a/qt.spec
+++ b/qt.spec
@@ -35,7 +35,7 @@ Summary: Qt toolkit
Name: qt
Epoch: 1
Version: 4.8.6
-Release: 24%{?dist}
+Release: 25%{?dist}
# See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
@@ -196,6 +196,9 @@ Patch267: 0067-Fix-AArch64-arm64-detection.patch
Patch272: 0072-Fix-font-cache-check-in-QFontEngineFT-recalcAdvances.patch
## security patches
+# CVE-2015-0295
+# http://lists.qt-project.org/pipermail/announce/2015-February/000059.html
+Patch337: 0137-Fix-a-division-by-zero-when-processing-malformed-BMP.patch
# desktop files
Source20: assistant.desktop
@@ -593,6 +596,7 @@ rm -rf src/3rdparty/clucene
%patch266 -p1 -b .0066
%patch267 -p1 -b .0067
%patch272 -p1 -b .0072
+%patch337 -p1 -b .0137
# security fixes
# regression fixes for the security fixes
@@ -1313,6 +1317,9 @@ fi
%changelog
+* Fri Feb 27 2015 Rex Dieter <rdieter at fedoraproject.org> 1:4.8.6-25
+- DoS vulnerability in the BMP image handler (CVE-2015-0295)
+
* Mon Feb 16 2015 Rex Dieter <rdieter at fedoraproject.org> 1:4.8.6-24
- more gcc5 detection fixes, in particular, ensure same QT_BUILD_KEY as gcc4 for now
More information about the scm-commits
mailing list