Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 100045 Details for
Bug 151838
x11-libs/qt: khtml/qt integer overflow (CVE-2006-4811)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch
qt3_pixmap_patch.txt (text/plain), 4.83 KB, created by
Dirk Mueller
on 2006-10-19 13:24:20 UTC
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Dirk Mueller
Created:
2006-10-19 13:24:20 UTC
Size:
4.83 KB
patch
obsolete
>--- //depot/qt/3/src/kernel/qfontengine_x11.cpp Thu Oct 19 14:41:41 CEST 2006 >+++ //depot/qt/3/src/kernel/qfontengine_x11.cpp Thu Oct 19 14:41:41 CEST 2006 > >@@ -171,7 +171,8 @@ > > QRect br = xmat.mapRect(QRect(x, y - si->ascent, w, h)); > QRect br2 = br & pdevRect; >- if (br2.width() <= 0 || br2.height() <= 0) >+ if (br2.width() <= 0 || br2.height() <= 0 >+ || br2.width() >= 32768 || br2.height() >= 32768) > return; > QWMatrix mat = QPixmap::trueMatrix( xmat, w, h ); > QBitmap wx_bm = ::transform(dpy, bm, br2.x() - br.x(), br2.y() - br.y(), br2.width(), br2.height(), mat); > >--- //depot/qt/3/src/kernel/qimage.cpp Thu Oct 19 14:41:41 CEST 2006 >+++ //depot/qt/3/src/kernel/qimage.cpp Thu Oct 19 14:41:41 CEST 2006 > >@@ -475,7 +475,12 @@ > Endian bitOrder ) > { > init(); >- if ( w <= 0 || h <= 0 || depth <= 0 || numColors < 0 ) >+ int bpl = ((w*depth+31)/32)*4; // bytes per scanline >+ if ( w <= 0 || h <= 0 || depth <= 0 || numColors < 0 >+ || INT_MAX / sizeof(uchar *) < uint(h) >+ || INT_MAX / uint(depth) < uint(w) >+ || bpl <= 0 >+ || INT_MAX / uint(bpl) < uint(h) ) > return; // invalid parameter(s) > data->w = w; > data->h = h; >@@ -483,7 +488,6 @@ > data->ncols = depth != 32 ? numColors : 0; > if ( !yourdata ) > return; // Image header info can be saved without needing to allocate memory. >- int bpl = ((w*depth+31)/32)*4; // bytes per scanline > data->nbytes = bpl*h; > if ( colortable || !data->ncols ) { > data->ctbl = colortable; >@@ -525,7 +529,10 @@ > Endian bitOrder ) > { > init(); >- if ( !yourdata || w <= 0 || h <= 0 || depth <= 0 || numColors < 0 ) >+ if ( !yourdata || w <= 0 || h <= 0 || depth <= 0 || numColors < 0 >+ || INT_MAX / sizeof(uchar *) < uint(h) >+ || INT_MAX / uint(bpl) < uint(h) >+ ) > return; // invalid parameter(s) > data->w = w; > data->h = h; >@@ -1264,7 +1271,7 @@ > if ( data->ncols != numColors ) // could not alloc color table > return FALSE; > >- if ( INT_MAX / depth < width) { // sanity check for potential overflow >+ if ( INT_MAX / uint(depth) < uint(width) ) { // sanity check for potential overflow > setNumColors( 0 ); > return FALSE; > } >@@ -1277,7 +1284,9 @@ > // #### WWA: shouldn't this be (width*depth+7)/8: > const int pad = bpl - (width*depth)/8; // pad with zeros > #endif >- if (INT_MAX / bpl < height) { // sanity check for potential overflow >+ if ( INT_MAX / uint(bpl) < uint(height) >+ || bpl < 0 >+ || INT_MAX / sizeof(uchar *) < uint(height) ) { // sanity check for potential overflow > setNumColors( 0 ); > return FALSE; > } > >--- //depot/qt/3/src/kernel/qpixmap_x11.cpp Thu Oct 19 14:41:41 CEST 2006 >+++ //depot/qt/3/src/kernel/qpixmap_x11.cpp Thu Oct 19 14:41:41 CEST 2006 > >@@ -953,6 +953,9 @@ > bool force_mono = (dd == 1 || isQBitmap() || > (conversion_flags & ColorMode_Mask)==MonoOnly ); > >+ if ( w >= 32768 || h >= 32768 ) >+ return FALSE; >+ > // get rid of the mask > delete data->mask; > data->mask = 0; >@@ -1678,11 +1681,11 @@ > > QPixmap QPixmap::xForm( const QWMatrix &matrix ) const > { >- int w = 0; >- int h = 0; // size of target pixmap >- int ws, hs; // size of source pixmap >+ uint w = 0; >+ uint h = 0; // size of target pixmap >+ uint ws, hs; // size of source pixmap > uchar *dptr; // data in target pixmap >- int dbpl, dbytes; // bytes per line/bytes total >+ uint dbpl, dbytes; // bytes per line/bytes total > uchar *sptr; // data in original pixmap > int sbpl; // bytes per line in original > int bpp; // bits per pixel >@@ -1697,19 +1700,24 @@ > > QWMatrix mat( matrix.m11(), matrix.m12(), matrix.m21(), matrix.m22(), 0., 0. ); > >+ double scaledWidth; >+ double scaledHeight; >+ > if ( matrix.m12() == 0.0F && matrix.m21() == 0.0F ) { > if ( matrix.m11() == 1.0F && matrix.m22() == 1.0F ) > return *this; // identity matrix >- h = qRound( matrix.m22()*hs ); >- w = qRound( matrix.m11()*ws ); >- h = QABS( h ); >- w = QABS( w ); >+ scaledHeight = matrix.m22()*hs; >+ scaledWidth = matrix.m11()*ws; >+ h = QABS( qRound( scaledHeight ) ); >+ w = QABS( qRound( scaledWidth ) ); > } else { // rotation or shearing > QPointArray a( QRect(0,0,ws+1,hs+1) ); > a = mat.map( a ); > QRect r = a.boundingRect().normalize(); > w = r.width()-1; > h = r.height()-1; >+ scaledWidth = w; >+ scaledHeight = h; > } > > mat = trueMatrix( mat, ws, hs ); // true matrix >@@ -1718,7 +1726,8 @@ > bool invertible; > mat = mat.invert( &invertible ); // invert matrix > >- if ( h == 0 || w == 0 || !invertible ) { // error, return null pixmap >+ if ( h == 0 || w == 0 || !invertible >+ || QABS(scaledWidth) >= 32768 || QABS(scaledHeight) >= 32768 ) { // error, return null pixmap > QPixmap pm; > pm.data->bitmap = data->bitmap; > return pm;
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 151838
:
99949
| 100045