diff options
author | V3n3RiX <venerix@redcorelinux.org> | 2020-08-25 10:45:55 +0100 |
---|---|---|
committer | V3n3RiX <venerix@redcorelinux.org> | 2020-08-25 10:45:55 +0100 |
commit | 3cf7c3ef441822c889356fd1812ebf2944a59851 (patch) | |
tree | c513fe68548b40365c1c2ebfe35c58ad431cdd77 /dev-qt/qtgui/files | |
parent | 05b8b0e0af1d72e51a3ee61522941bf7605cd01c (diff) |
gentoo resync : 25.08.2020
Diffstat (limited to 'dev-qt/qtgui/files')
-rw-r--r-- | dev-qt/qtgui/files/qtgui-5.14.2-CVE-2020-17507.patch | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/dev-qt/qtgui/files/qtgui-5.14.2-CVE-2020-17507.patch b/dev-qt/qtgui/files/qtgui-5.14.2-CVE-2020-17507.patch new file mode 100644 index 000000000000..cad9aa4b682c --- /dev/null +++ b/dev-qt/qtgui/files/qtgui-5.14.2-CVE-2020-17507.patch @@ -0,0 +1,39 @@ +From 1616c71921b73b227f56ccb3f2c49a994ec23440 Mon Sep 17 00:00:00 2001 +From: Allan Sandfeld Jensen <allan.jensen@qt.io> +Date: Thu, 23 Jul 2020 11:48:48 +0200 +Subject: Fix buffer overflow in XBM parser + +Avoid parsing over the buffer limit, or interpreting non-hex +as hex. + +This still leaves parsing of lines longer than 300 chars +unreliable + +Change-Id: I1c57a7e530c4380f6f9040b2ec729ccd7dc7a5fb +Reviewed-by: Robert Loehning <robert.loehning@qt.io> +Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io> +(cherry picked from commit c562c1fc19629fb505acd0f6380604840b634211) +Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> +--- + src/gui/image/qxbmhandler.cpp | 4 ++- + .../gui/image/qimagereader/tst_qimagereader.cpp | 38 ++++++++++++++++++++++ + 2 files changed, 41 insertions(+), 1 deletion(-) + +diff --git a/src/gui/image/qxbmhandler.cpp b/src/gui/image/qxbmhandler.cpp +index f06561690c..72ce7f7ecd 100644 +--- a/src/gui/image/qxbmhandler.cpp ++++ b/src/gui/image/qxbmhandler.cpp +@@ -159,7 +159,9 @@ static bool read_xbm_body(QIODevice *device, int w, int h, QImage *outImage) + w = (w+7)/8; // byte width + + while (y < h) { // for all encoded bytes... +- if (p) { // p = "0x.." ++ if (p && p < (buf + readBytes - 3)) { // p = "0x.." ++ if (!isxdigit(p[2]) || !isxdigit(p[3])) ++ return false; + *b++ = hex2byte(p+2); + p += 2; + if (++x == w && ++y < h) { +-- +cgit v1.2.1 + |