SECURITY: add a fix from upstream for a DoS in the BMP handler. Bump

PKGREVISION. https://codereview.qt-project.org/#/c/107108/4 Fix a division by zero when processing malformed BMP files. This fixes a division by 0 when processing a maliciously crafted BMP file. No impact beyond DoS.
2015-03-24 21:43:52 +00:00 · 2015-03-24 21:43:52 +00:00 · b9e889c638
commit b9e889c638
parent 37ae366f62
3 changed files with 29 additions and 3 deletions
--- a/x11/qt4-libs/Makefile
+++ b/x11/qt4-libs/Makefile
@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.102 2014/11/28 21:07:51 spz Exp $
+# $NetBSD: Makefile,v 1.103 2015/03/24 21:43:52 bsiegert Exp $

 PKGNAME=	qt4-libs-${QTVERSION}
-PKGREVISION=	3
+PKGREVISION=	4
 COMMENT=	C++ X GUI toolkit

 .include "../../x11/qt4-libs/Makefile.common"
--- a/x11/qt4-libs/distinfo
+++ b/x11/qt4-libs/distinfo
@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.97 2015/03/24 14:28:52 joerg Exp $
+$NetBSD: distinfo,v 1.98 2015/03/24 21:43:52 bsiegert Exp $

 SHA1 (qt-everywhere-opensource-src-4.8.6.tar.gz) = ddf9c20ca8309a116e0466c42984238009525da6
 RMD160 (qt-everywhere-opensource-src-4.8.6.tar.gz) = 0220d4e76ac761c9ecfb8ddab6f2c1dc6ad70c33
@ -69,6 +69,7 @@ SHA1 (patch-src_3rdparty_webkit_Source_WebCore_platform_graphics_filters_arm_FEL
 SHA1 (patch-src_3rdparty_webkit_Source_WebCore_platform_qt_PlatformKeyboardEventQt.cpp) = b28cf71983f8e71b82b1c634a10b3898ca13ede5
 SHA1 (patch-src_corelib_io_io.pri) = cde98927b524c92fae1e053c2359e77bde2c240a
 SHA1 (patch-src_corelib_io_qfilesystemwatcher.cpp) = bb16b95d20286b1aa069dc25843d7e0067cc0268
+SHA1 (patch-src_gui_image_qbmphandler.cpp) = efe717ee805f808dc8a1ce7c56b3872bc3d75f69
 SHA1 (patch-src_gui_kernel_qcocoaapplicationdelegate__mac.mm) = 0caa9b006b3ffee4ab747fca9fd224c7c49211c9
 SHA1 (patch-src_network_ssl_qsslsocket__openssl__symbols.cpp) = 3ad682b86d2e9bd2b282caa298508dc3e9dd8566
 SHA1 (patch-src_network_ssl_qsslsocket__openssl__symbols__p.h) = 417846ba9edab8638cafa41a54ef60029467ef80
--- a/x11/qt4-libs/patches/patch-src_gui_image_qbmphandler.cpp
+++ b/x11/qt4-libs/patches/patch-src_gui_image_qbmphandler.cpp
@ -0,0 +1,25 @@
+$NetBSD: patch-src_gui_image_qbmphandler.cpp,v 1.1 2015/03/24 21:43:52 bsiegert Exp $
+https://codereview.qt-project.org/#/c/107108/4
+
+Fix a division by zero when processing malformed BMP files.
+This fixes a division by 0 when processing a maliciously crafted BMP
+file. No impact beyond DoS.
+--- src/gui/image/qbmphandler.cpp.orig	2015-03-24 20:09:44.000000000 +0000
+++ src/gui/image/qbmphandler.cpp
+@@ -319,10 +319,16 @@ static bool read_dib_body(QDataStream &s
+         }
+     } else if (comp == BMP_BITFIELDS && (nbits == 16 || nbits == 32)) {
+         red_shift = calc_shift(red_mask);
+	if (((red_mask >> red_shift) + 1) == 0)
+            return false;
+         red_scale = 256 / ((red_mask >> red_shift) + 1);
+         green_shift = calc_shift(green_mask);
+	if (((green_mask >> green_shift) + 1) == 0)
+            return false;
+         green_scale = 256 / ((green_mask >> green_shift) + 1);
+         blue_shift = calc_shift(blue_mask);
+	if (((blue_mask >> blue_shift) + 1) == 0)
+            return false;
+         blue_scale = 256 / ((blue_mask >> blue_shift) + 1);
+     } else if (comp == BMP_RGB && (nbits == 24 || nbits == 32)) {
+         blue_mask = 0x000000ff;