Bugzilla – Attachment 22674 Details for
Bug 58356
VUL-0: CVE-2004-0691: qt: bmp parser overflow
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
[patch]
parts between 3.3.2 and 3.3.3 that seem to be relevant.
qt.pat (text/plain), 9.28 KB, created by
Marcus Meissner
on 2004-08-12 16:31:23 UTC
(
hide
)
Description:
parts between 3.3.2 and 3.3.3 that seem to be relevant.
Filename:
MIME Type:
Creator:
Marcus Meissner
Created:
2004-08-12 16:31:23 UTC
Size:
9.28 KB
patch
obsolete
>diff -pur qt-x11-free-3.3.2/src/kernel/qasyncimageio.cpp qt-x11-free-3.3.3/src/kernel/qasyncimageio.cpp >--- qt-x11-free-3.3.2/src/kernel/qasyncimageio.cpp 2004-04-19 11:36:02.000000000 +0200 >+++ qt-x11-free-3.3.3/src/kernel/qasyncimageio.cpp 2004-08-05 16:42:03.000000000 +0200 >@@ -1,5 +1,5 @@ > /**************************************************************************** >-** $Id: qt/qasyncimageio.cpp 3.3.2 edited Dec 6 17:56 $ >+** $Id: qt/qasyncimageio.cpp 3.3.3 edited Jul 27 15:31 $ > ** > ** Implementation of asynchronous image/movie loading classes > ** >@@ -992,6 +992,7 @@ int QGIFFormat::decode(QImage& img, QIma > accum = 0; > bitcount = 0; > sp = stack; >+ firstcode = oldcode = 0; > needfirst = FALSE; > out_of_bounds = FALSE; > } >diff -pur qt-x11-free-3.3.2/src/kernel/qimage.cpp qt-x11-free-3.3.3/src/kernel/qimage.cpp >--- qt-x11-free-3.3.2/src/kernel/qimage.cpp 2004-04-19 11:36:05.000000000 +0200 >+++ qt-x11-free-3.3.3/src/kernel/qimage.cpp 2004-08-05 16:42:06.000000000 +0200 >@@ -1,5 +1,5 @@ > /**************************************************************************** >-** $Id: qt/qimage.cpp 3.3.2 edited Mar 29 14:59 $ >+** $Id: qt/qimage.cpp 3.3.3 edited Jul 28 14:16 $ > ** > ** Implementation of QImage and QImageIO classes > ** >@@ -730,6 +730,15 @@ QImage QImage::copy(int x, int y, int w, > that->setAlphaBuffer( TRUE ); > } > image.setAlphaBuffer(hasAlphaBuffer()); >+ image.data->dpmx = dotsPerMeterX(); >+ image.data->dpmy = dotsPerMeterY(); >+ image.data->offset = offset(); >+#ifndef QT_NO_IMAGE_TEXT >+ if ( data->misc ) { >+ image.data->misc = new QImageDataMisc; >+ *image.data->misc = misc(); >+ } >+#endif > return image; > } > >@@ -4818,6 +4827,7 @@ bool read_dib( QDataStream& s, int offse > if ( comp == BMP_RLE8 ) { // run length compression > int x=0, y=0, b; > register uchar *p = line[h-1]; >+ const uchar *endp = line[h-1]+w; > while ( y < h ) { > if ( (b=d->getch()) == EOF ) > break; >@@ -4835,9 +4845,20 @@ bool read_dib( QDataStream& s, int offse > case 2: // delta (jump) > x += d->getch(); > y += d->getch(); >+ >+ // Protection >+ if ( (uint)x >= (uint)w ) >+ x = w-1; >+ if ( (uint)y >= (uint)h ) >+ y = h-1; >+ > p = line[h-y-1] + x; > break; > default: // absolute mode >+ // Protection >+ if ( p + b > endp ) >+ b = endp-p; >+ > if ( d->readBlock( (char *)p, b ) != b ) > return FALSE; > if ( (b & 1) == 1 ) >@@ -4846,6 +4867,10 @@ bool read_dib( QDataStream& s, int offse > p += b; > } > } else { // encoded mode >+ // Protection >+ if ( p + b > endp ) >+ b = endp-p; >+ > memset( p, d->getch(), b ); // repeat pixel > x += b; > p += b; >@@ -5641,6 +5666,21 @@ static bool read_xpm_string( QCString &b > } > > >+ >+static int nextColorSpec(const QCString & buf) >+{ >+ int i = buf.find(" c "); >+ if (i < 0) >+ i = buf.find(" g "); >+ if (i < 0) >+ i = buf.find(" g4 "); >+ if (i < 0) >+ i = buf.find(" m "); >+ if (i < 0) >+ i = buf.find(" s "); >+ return i; >+} >+ > // > // INTERNAL > // >@@ -5697,23 +5737,17 @@ static void read_xpm_image_or_array( QIm > index = buf.left( cpp ); > buf = buf.mid( cpp ).simplifyWhiteSpace().lower(); > buf.prepend( " " ); >- i = buf.find( " c " ); >- if ( i < 0 ) >- i = buf.find( " g " ); >- if ( i < 0 ) >- i = buf.find( " g4 " ); >- if ( i < 0 ) >- i = buf.find( " m " ); >+ i = nextColorSpec(buf); > if ( i < 0 ) { > #if defined(QT_CHECK_RANGE) > qWarning( "QImage: XPM color specification is missing: %s", buf.data()); > #endif >- return; // no c/g/g4/m specification at all >+ return; // no c/g/g4/m/s specification at all > } > buf = buf.mid( i+3 ); > // Strip any other colorspec >- int end = buf.find(' ', 4); >- if ( end >= 0 ) >+ int end = nextColorSpec(buf); >+ if (end != -1) > buf.truncate(end); > buf = buf.stripWhiteSpace(); > if ( buf == "none" ) { >diff -pur qt-x11-free-3.3.2/src/kernel/qjpegio.cpp qt-x11-free-3.3.3/src/kernel/qjpegio.cpp >--- qt-x11-free-3.3.2/src/kernel/qjpegio.cpp 2004-04-19 11:36:11.000000000 +0200 >+++ qt-x11-free-3.3.3/src/kernel/qjpegio.cpp 2004-08-05 16:42:12.000000000 +0200 >@@ -1,5 +1,5 @@ > /**************************************************************************** >-** $Id: qt/qjpegio.cpp 3.3.2 edited Oct 13 2003 $ >+** $Id: qt/qjpegio.cpp 3.3.3 edited Jul 21 14:16 $ > ** > ** Implementation of JPEG QImage IOHandler > ** >@@ -254,15 +254,18 @@ void read_jpeg_image(QImageIO* iio) > scaleSize( sWidth, sHeight, cinfo.output_width, cinfo.output_height, sMode ); > // qDebug( "Scaling the jpeg to %i x %i", sWidth, sHeight, sModeStr ); > >+ bool created = FALSE; > if ( cinfo.output_components == 3 || cinfo.output_components == 4) { >- image.create( sWidth, sHeight, 32 ); >+ created = image.create( sWidth, sHeight, 32 ); > } else if ( cinfo.output_components == 1 ) { >- image.create( sWidth, sHeight, 8, 256 ); >+ created = image.create( sWidth, sHeight, 8, 256 ); > for (int i=0; i<256; i++) > image.setColor(i, qRgb(i,i,i)); > } else { > // Unsupported format > } >+ if (!created) >+ image = QImage(); > > if (!image.isNull()) { > QImage tmpImage( cinfo.output_width, 1, 32 ); >@@ -296,53 +299,58 @@ void read_jpeg_image(QImageIO* iio) > } > } > (void) jpeg_finish_decompress(&cinfo); >- } >+ } > > } else { > >+ bool created = false; > if ( cinfo.output_components == 3 || cinfo.output_components == 4) { >- image.create( cinfo.output_width, cinfo.output_height, 32 ); >+ created = image.create( cinfo.output_width, cinfo.output_height, 32 ); > } else if ( cinfo.output_components == 1 ) { >- image.create( cinfo.output_width, cinfo.output_height, 8, 256 ); >+ created = image.create( cinfo.output_width, cinfo.output_height, 8, 256 ); > for (int i=0; i<256; i++) > image.setColor(i, qRgb(i,i,i)); > } else { > // Unsupported format > } >+ if (!created) >+ image = QImage(); > > if (!image.isNull()) { > uchar** lines = image.jumpTable(); > while (cinfo.output_scanline < cinfo.output_height) > (void) jpeg_read_scanlines(&cinfo, >- lines + cinfo.output_scanline, >- cinfo.output_height); >+ lines + cinfo.output_scanline, >+ cinfo.output_height); > (void) jpeg_finish_decompress(&cinfo); >- } > >- if ( cinfo.output_components == 3 ) { >- // Expand 24->32 bpp. >- for (uint j=0; j<cinfo.output_height; j++) { >- uchar *in = image.scanLine(j) + cinfo.output_width * 3; >- QRgb *out = (QRgb*)image.scanLine(j); >- >- for (uint i=cinfo.output_width; i--; ) { >- in-=3; >- out[i] = qRgb(in[0], in[1], in[2]); >- } >- } >- } >+ if ( cinfo.output_components == 3 ) { >+ // Expand 24->32 bpp. >+ for (uint j=0; j<cinfo.output_height; j++) { >+ uchar *in = image.scanLine(j) + cinfo.output_width * 3; >+ QRgb *out = (QRgb*)image.scanLine(j); >+ >+ for (uint i=cinfo.output_width; i--; ) { >+ in-=3; >+ out[i] = qRgb(in[0], in[1], in[2]); >+ } >+ } >+ } >+ } > } > >- if ( cinfo.density_unit == 1 ) { >- image.setDotsPerMeterX( int(100. * cinfo.X_density / 2.54) ); >- image.setDotsPerMeterY( int(100. * cinfo.Y_density / 2.54) ); >- } else if ( cinfo.density_unit == 2 ) { >- image.setDotsPerMeterX( int(100. * cinfo.X_density) ); >- image.setDotsPerMeterY( int(100. * cinfo.Y_density) ); >- } >+ if (!image.isNull()) { >+ if ( cinfo.density_unit == 1 ) { >+ image.setDotsPerMeterX( int(100. * cinfo.X_density / 2.54) ); >+ image.setDotsPerMeterY( int(100. * cinfo.Y_density / 2.54) ); >+ } else if ( cinfo.density_unit == 2 ) { >+ image.setDotsPerMeterX( int(100. * cinfo.X_density) ); >+ image.setDotsPerMeterY( int(100. * cinfo.Y_density) ); >+ } >+ } > > iio->setImage(image); >- iio->setStatus(0); >+ iio->setStatus(image.isNull()); > } > > jpeg_destroy_decompress(&cinfo); >@@ -476,6 +484,21 @@ void write_jpeg_image(QImageIO* iio) > } > > jpeg_set_defaults(&cinfo); >+ >+ float diffInch = QABS(image.dotsPerMeterX()*2.54/100. - qRound(image.dotsPerMeterX()*2.54/100.)) >+ + QABS(image.dotsPerMeterY()*2.54/100. - qRound(image.dotsPerMeterY()*2.54/100.)); >+ float diffCm = (QABS(image.dotsPerMeterX()/100. - qRound(image.dotsPerMeterX()/100.)) >+ + QABS(image.dotsPerMeterY()/100. - qRound(image.dotsPerMeterY()/100.)))*2.54; >+ if (diffInch < diffCm) { >+ cinfo.density_unit = 1; // dots/inch >+ cinfo.X_density = qRound(image.dotsPerMeterX()*2.54/100.); >+ cinfo.Y_density = qRound(image.dotsPerMeterY()*2.54/100.); >+ } else { >+ cinfo.density_unit = 2; // dots/cm >+ cinfo.X_density = (image.dotsPerMeterX()+50) / 100; >+ cinfo.Y_density = (image.dotsPerMeterY()+50) / 100; >+ } >+ > int quality = iio->quality() >= 0 ? QMIN(iio->quality(),100) : 75; > #if defined(Q_OS_UNIXWARE) > jpeg_set_quality(&cinfo, quality, B_TRUE /* limit to baseline-JPEG values */);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=22674">View the attachment on a separate page</a>.</b>
Actions:
View
|
Diff
Attachments on
bug 58356
:
22441
|
22446
|
22598
|
22599
| 22674 |
22675
|
22680
|
22691
|
22692