From 4acf353ffd1a300ee0e4656ba6473cc58b18dcef Mon Sep 17 00:00:00 2001
From: Kai Kang <kai.kang@windriver.com>
Date: Wed, 27 May 2015 17:40:40 +0800
Subject: qt4: fix CVE issues

Backport patches to fix qt4 CVE issues:

* CVE-2015-1858
* CVE-2015-1859
* CVE-2015-1860

(From OE-Core rev: e57a090d8f806f55b99649e072b4d2dde6f036ee)

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-qt/qt4/qt4-4.8.6.inc                  |  2 +
 ...Fixes-crash-in-bmp-and-ico-image-decoding.patch | 71 ++++++++++++++++++++++
 .../0036-Fixes-crash-in-gif-image-decoder.patch    | 39 ++++++++++++
 3 files changed, 112 insertions(+)
 create mode 100644 meta/recipes-qt/qt4/qt4-4.8.6/0035-Fixes-crash-in-bmp-and-ico-image-decoding.patch
 create mode 100644 meta/recipes-qt/qt4/qt4-4.8.6/0036-Fixes-crash-in-gif-image-decoder.patch

(limited to 'meta/recipes-qt')

diff --git a/meta/recipes-qt/qt4/qt4-4.8.6.inc b/meta/recipes-qt/qt4/qt4-4.8.6.inc
index 19f52a7711..44cf47440e 100644
--- a/meta/recipes-qt/qt4/qt4-4.8.6.inc
+++ b/meta/recipes-qt/qt4/qt4-4.8.6.inc
@@ -27,6 +27,8 @@ SRC_URI = "http://download.qt-project.org/official_releases/qt/4.8/${PV}/qt-ever
            file://0031-aarch64_arm64_mkspecs.patch \
            file://0032-aarch64_add_header.patch \
            file://0034-Fix-a-division-by-zero-when-processing-malformed-BMP.patch \
+           file://0035-Fixes-crash-in-bmp-and-ico-image-decoding.patch \
+           file://0036-Fixes-crash-in-gif-image-decoder.patch \
            file://Fix-QWSLock-invalid-argument-logs.patch \
            file://g++.conf \
            file://linux.conf \
diff --git a/meta/recipes-qt/qt4/qt4-4.8.6/0035-Fixes-crash-in-bmp-and-ico-image-decoding.patch b/meta/recipes-qt/qt4/qt4-4.8.6/0035-Fixes-crash-in-bmp-and-ico-image-decoding.patch
new file mode 100644
index 0000000000..c88879a38a
--- /dev/null
+++ b/meta/recipes-qt/qt4/qt4-4.8.6/0035-Fixes-crash-in-bmp-and-ico-image-decoding.patch
@@ -0,0 +1,71 @@
+Upstream-Status: Backport
+
+Backport patch to fix CVE-2015-1858 and CVE-2015-1859
+
+http://code.qt.io/cgit/qt/qt.git/commit/?id=3e55cd6
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+From 3e55cd6dc467303a3c35312e9fcb255c2c048b32 Mon Sep 17 00:00:00 2001
+From: Eirik Aavitsland <eirik.aavitsland@theqtcompany.com>
+Date: Wed, 11 Mar 2015 13:34:01 +0100
+Subject: [PATCH] Fixes crash in bmp and ico image decoding
+
+Fuzzing test revealed that for certain malformed bmp and ico files,
+the handler would segfault.
+
+Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe
+(cherry picked from qtbase/2adbbae5432aa9d8cc41c6fcf55c2e310d2d4078)
+Reviewed-by: Richard J. Moore <rich@kde.org>
+---
+ src/gui/image/qbmphandler.cpp                | 13 +++++++------
+ src/plugins/imageformats/ico/qicohandler.cpp |  2 +-
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
+index 30fa9e0..17a880b 100644
+--- a/src/gui/image/qbmphandler.cpp
++++ b/src/gui/image/qbmphandler.cpp
+@@ -478,12 +478,6 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
+                             p = data + (h-y-1)*bpl;
+                             break;
+                         case 2:                        // delta (jump)
+-                            // Protection
+-                            if ((uint)x >= (uint)w)
+-                                x = w-1;
+-                            if ((uint)y >= (uint)h)
+-                                y = h-1;
+-
+                             {
+                                 quint8 tmp;
+                                 d->getChar((char *)&tmp);
+@@ -491,6 +485,13 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
+                                 d->getChar((char *)&tmp);
+                                 y += tmp;
+                             }
++
++                            // Protection
++                            if ((uint)x >= (uint)w)
++                                x = w-1;
++                            if ((uint)y >= (uint)h)
++                                y = h-1;
++
+                             p = data + (h-y-1)*bpl + x;
+                             break;
+                         default:                // absolute mode
+diff --git a/src/plugins/imageformats/ico/qicohandler.cpp b/src/plugins/imageformats/ico/qicohandler.cpp
+index 1a88605..3c34765 100644
+--- a/src/plugins/imageformats/ico/qicohandler.cpp
++++ b/src/plugins/imageformats/ico/qicohandler.cpp
+@@ -571,7 +571,7 @@ QImage ICOReader::iconAt(int index)
+                 QImage::Format format = QImage::Format_ARGB32;
+                 if (icoAttrib.nbits == 24)
+                     format = QImage::Format_RGB32;
+-                else if (icoAttrib.ncolors == 2)
++                else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1)
+                     format = QImage::Format_Mono;
+                 else if (icoAttrib.ncolors > 0)
+                     format = QImage::Format_Indexed8;
+-- 
+2.4.1
+
diff --git a/meta/recipes-qt/qt4/qt4-4.8.6/0036-Fixes-crash-in-gif-image-decoder.patch b/meta/recipes-qt/qt4/qt4-4.8.6/0036-Fixes-crash-in-gif-image-decoder.patch
new file mode 100644
index 0000000000..c1baf0e53a
--- /dev/null
+++ b/meta/recipes-qt/qt4/qt4-4.8.6/0036-Fixes-crash-in-gif-image-decoder.patch
@@ -0,0 +1,39 @@
+Upstream-Status: Backport
+
+Backport patch to fix CVE-2015-1860
+
+http://code.qt.io/cgit/qt/qt.git/commit/?id=9f2425a
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+From a1cf194c54be57d6ab55dfd26b9562a60532208e Mon Sep 17 00:00:00 2001
+From: Eirik Aavitsland <eirik.aavitsland@theqtcompany.com>
+Date: Wed, 11 Mar 2015 09:00:41 +0100
+Subject: [PATCH] Fixes crash in gif image decoder
+
+Fuzzing test revealed that for certain malformed gif files,
+qgifhandler would segfault.
+
+Change-Id: I5bb6f60e1c61849e0d8c735edc3869945e5331c1
+(cherry picked from qtbase/ea2c5417fcd374302f5019e67f72af5facbd29f6)
+Reviewed-by: Richard J. Moore <rich@kde.org>
+---
+ src/gui/image/qgifhandler.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/gui/image/qgifhandler.cpp b/src/gui/image/qgifhandler.cpp
+index 5199dd3..49aa2a6 100644
+--- a/src/gui/image/qgifhandler.cpp
++++ b/src/gui/image/qgifhandler.cpp
+@@ -944,6 +944,8 @@ void QGIFFormat::fillRect(QImage *image, int col, int row, int w, int h, QRgb co
+ 
+ void QGIFFormat::nextY(unsigned char *bits, int bpl)
+ {
++    if (out_of_bounds)
++        return;
+     int my;
+     switch (interlace) {
+     case 0: // Non-interlaced
+-- 
+2.4.1
+
-- 
cgit v1.2.3-54-g00ecf