Hello community, here is the log from the commit of package qt3 checked in at Fri Oct 20 13:10:00 CEST 2006. -------- --- KDE/qt3/qt3-devel-doc.changes 2006-10-12 15:20:33.000000000 +0200 +++ /mounts/work_src_done/STABLE/qt3/qt3-devel-doc.changes 2006-10-20 13:09:42.000000000 +0200 @@ -1,0 +2,6 @@ +Thu Oct 19 15:21:51 CEST 2006 - dmueller@suse.de + +- add patch for integer overflow in QPixmap/QImage + (#212544, CVE-2006-4811) + +------------------------------------------------------------------- qt3-extensions.changes: same change qt3-static.changes: same change qt3.changes: same change New: ---- CVE-2006-4811.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ qt3-devel-doc.spec ++++++ --- /var/tmp/diff_new_pack.mU4rim/_old 2006-10-20 13:09:50.000000000 +0200 +++ /var/tmp/diff_new_pack.mU4rim/_new 2006-10-20 13:09:50.000000000 +0200 @@ -13,12 +13,12 @@ Name: qt3-devel-doc BuildRequires: cups-devel freeglut-devel freetype2-devel gcc-c++ libjpeg-devel libmng-devel libpng-devel pkgconfig qt3-devel update-desktop-files Url: http://www.trolltech.com/ -License: GPL, QPL +License: Other License(s), see package Autoreqprov: on Summary: Qt 3 Development Kit Group: Documentation/HTML Version: 3.3.6 -Release: 23 +Release: 27 PreReq: /bin/grep BuildArch: noarch Provides: qt3-devel-tutorial @@ -83,6 +83,7 @@ Patch115: restore-qtextedit-performance.diff Patch116: pedantic-headers.diff Patch117: qtimer-debug.diff +Patch118: CVE-2006-4811.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -144,6 +145,7 @@ %patch115 %patch116 %patch117 +%patch118 ln -sf $PWD/src/inputmethod/qinputcontextfactory.h include/ ln -sf $PWD/src/inputmethod/qinputcontextplugin.h include/ ln -sf $PWD/src/kernel/qinputcontext.h include/ @@ -227,6 +229,9 @@ /usr/share/pixmaps/assistant3.png %changelog -n qt3-devel-doc +* Thu Oct 19 2006 - dmueller@suse.de +- add patch for integer overflow in QPixmap/QImage + (#212544, CVE-2006-4811) * Tue Oct 10 2006 - dmueller@suse.de - add patch for qtimer debugging * Wed Oct 04 2006 - dmueller@suse.de ++++++ qt3-extensions.spec ++++++ --- /var/tmp/diff_new_pack.mU4rim/_old 2006-10-20 13:09:50.000000000 +0200 +++ /var/tmp/diff_new_pack.mU4rim/_new 2006-10-20 13:09:50.000000000 +0200 @@ -12,9 +12,9 @@ Name: qt3-extensions BuildRequires: cups-devel krb5-devel libjpeg-devel mysql-devel postgresql-devel qt3-devel sqlite2-devel unixODBC-devel update-desktop-files -License: GPL, QPL +License: GNU General Public License (GPL) - all versions, THE Q PUBLIC LICENSE (QPL) Version: 3.3.6 -Release: 23 +Release: 29 Autoreqprov: on Requires: qt3 = %version Group: Development/Tools/Other @@ -78,6 +78,7 @@ Patch115: restore-qtextedit-performance.diff Patch116: pedantic-headers.diff Patch117: qtimer-debug.diff +Patch118: CVE-2006-4811.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -137,6 +138,7 @@ %patch115 %patch116 %patch117 +%patch118 ln -sf $PWD/src/inputmethod/qinputcontextfactory.h include/ ln -sf $PWD/src/inputmethod/qinputcontextplugin.h include/ ln -sf $PWD/src/kernel/qinputcontext.h include/ @@ -471,6 +473,9 @@ %{_mandir}/man*/* %changelog -n qt3-extensions +* Thu Oct 19 2006 - dmueller@suse.de +- add patch for integer overflow in QPixmap/QImage + (#212544, CVE-2006-4811) * Tue Oct 10 2006 - dmueller@suse.de - add patch for qtimer debugging * Wed Oct 04 2006 - dmueller@suse.de ++++++ qt3-static.spec ++++++ --- /var/tmp/diff_new_pack.mU4rim/_old 2006-10-20 13:09:50.000000000 +0200 +++ /var/tmp/diff_new_pack.mU4rim/_new 2006-10-20 13:09:50.000000000 +0200 @@ -12,12 +12,12 @@ Name: qt3-static BuildRequires: cups-devel freeglut-devel freetype2-devel gcc-c++ libdrm-devel libjpeg-devel libmng-devel libpng-devel -License: GPL, QPL +License: Other License(s), see package Group: Development/Libraries/X11 Autoreqprov: on Summary: static program library for developing applications with graphical user interfaces Version: 3.3.6 -Release: 23 +Release: 27 %define x11_free -x11-free- %define rversion %version # COMMON-BEGIN @@ -77,6 +77,7 @@ Patch115: restore-qtextedit-performance.diff Patch116: pedantic-headers.diff Patch117: qtimer-debug.diff +Patch118: CVE-2006-4811.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -147,6 +148,7 @@ %patch115 %patch116 %patch117 +%patch118 ln -sf $PWD/src/inputmethod/qinputcontextfactory.h include/ ln -sf $PWD/src/inputmethod/qinputcontextplugin.h include/ ln -sf $PWD/src/kernel/qinputcontext.h include/ @@ -236,6 +238,9 @@ #/usr/lib/qt3/%{_lib}/libqt-mini.a %changelog -n qt3-static +* Thu Oct 19 2006 - dmueller@suse.de +- add patch for integer overflow in QPixmap/QImage + (#212544, CVE-2006-4811) * Tue Oct 10 2006 - dmueller@suse.de - add patch for qtimer debugging * Wed Oct 04 2006 - dmueller@suse.de ++++++ qt3.spec ++++++ --- /var/tmp/diff_new_pack.mU4rim/_old 2006-10-20 13:09:50.000000000 +0200 +++ /var/tmp/diff_new_pack.mU4rim/_new 2006-10-20 13:09:50.000000000 +0200 @@ -14,12 +14,12 @@ #Remember also to modify Requires in -devel package BuildRequires: Mesa-devel c++_compiler cups-devel freetype2-devel libjpeg-devel libmng-devel libpng-devel pkgconfig update-desktop-files xorg-x11-devel URL: http://www.trolltech.com/ -License: GPL, QPL +License: Other License(s), see package, GNU General Public License (GPL) - all versions Group: System/Libraries Autoreqprov: on Summary: A library for developing applications with graphical user interfaces Version: 3.3.6 -Release: 23 +Release: 27 Provides: qt_library_%version PreReq: /bin/grep %define x11_free -x11-free- @@ -80,6 +80,7 @@ Patch115: restore-qtextedit-performance.diff Patch116: pedantic-headers.diff Patch117: qtimer-debug.diff +Patch118: CVE-2006-4811.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -148,6 +149,7 @@ %patch115 %patch116 %patch117 +%patch118 ln -sf $PWD/src/inputmethod/qinputcontextfactory.h include/ ln -sf $PWD/src/inputmethod/qinputcontextplugin.h include/ ln -sf $PWD/src/kernel/qinputcontext.h include/ @@ -367,6 +369,9 @@ /etc/profile.d/qt3.* %changelog -n qt3 +* Thu Oct 19 2006 - dmueller@suse.de +- add patch for integer overflow in QPixmap/QImage + (#212544, CVE-2006-4811) * Tue Oct 10 2006 - dmueller@suse.de - add patch for qtimer debugging * Wed Oct 04 2006 - dmueller@suse.de ++++++ CVE-2006-4811.patch ++++++ --- src/kernel/qfontengine_x11.cpp +++ src/kernel/qfontengine_x11.cpp @@ -171,7 +171,8 @@ QRect br = xmat.mapRect(QRect(x, y - si->ascent, w, h)); QRect br2 = br & pdevRect; - if (br2.width() <= 0 || br2.height() <= 0) + if (br2.width() <= 0 || br2.height() <= 0 + || br2.width() >= 32768 || br2.height() >= 32768) return; QWMatrix mat = QPixmap::trueMatrix( xmat, w, h ); QBitmap wx_bm = ::transform(dpy, bm, br2.x() - br.x(), br2.y() - br.y(), br2.width(), br2.height(), mat); --- src/kernel/qimage.cpp +++ src/kernel/qimage.cpp @@ -475,7 +475,12 @@ Endian bitOrder ) { init(); - if ( w <= 0 || h <= 0 || depth <= 0 || numColors < 0 ) + int bpl = ((w*depth+31)/32)*4; // bytes per scanline + if ( w <= 0 || h <= 0 || depth <= 0 || numColors < 0 + || INT_MAX / sizeof(uchar *) < uint(h) + || INT_MAX / uint(depth) < uint(w) + || bpl <= 0 + || INT_MAX / uint(bpl) < uint(h) ) return; // invalid parameter(s) data->w = w; data->h = h; @@ -483,7 +488,6 @@ data->ncols = depth != 32 ? numColors : 0; if ( !yourdata ) return; // Image header info can be saved without needing to allocate memory. - int bpl = ((w*depth+31)/32)*4; // bytes per scanline data->nbytes = bpl*h; if ( colortable || !data->ncols ) { data->ctbl = colortable; @@ -525,7 +529,10 @@ Endian bitOrder ) { init(); - if ( !yourdata || w <= 0 || h <= 0 || depth <= 0 || numColors < 0 ) + if ( !yourdata || w <= 0 || h <= 0 || depth <= 0 || numColors < 0 + || INT_MAX / sizeof(uchar *) < uint(h) + || INT_MAX / uint(bpl) < uint(h) + ) return; // invalid parameter(s) data->w = w; data->h = h; @@ -1264,7 +1271,7 @@ if ( data->ncols != numColors ) // could not alloc color table return FALSE; - if ( INT_MAX / depth < width) { // sanity check for potential overflow + if ( INT_MAX / uint(depth) < uint(width) ) { // sanity check for potential overflow setNumColors( 0 ); return FALSE; } @@ -1277,7 +1284,9 @@ // #### WWA: shouldn't this be (width*depth+7)/8: const int pad = bpl - (width*depth)/8; // pad with zeros #endif - if (INT_MAX / bpl < height) { // sanity check for potential overflow + if ( INT_MAX / uint(bpl) < uint(height) + || bpl < 0 + || INT_MAX / sizeof(uchar *) < uint(height) ) { // sanity check for potential overflow setNumColors( 0 ); return FALSE; } --- src/kernel/qpixmap_x11.cpp +++ src/kernel/qpixmap_x11.cpp @@ -953,6 +953,9 @@ bool force_mono = (dd == 1 || isQBitmap() || (conversion_flags & ColorMode_Mask)==MonoOnly ); + if ( w >= 32768 || h >= 32768 ) + return FALSE; + // get rid of the mask delete data->mask; data->mask = 0; @@ -1678,11 +1681,11 @@ QPixmap QPixmap::xForm( const QWMatrix &matrix ) const { - int w = 0; - int h = 0; // size of target pixmap - int ws, hs; // size of source pixmap + uint w = 0; + uint h = 0; // size of target pixmap + uint ws, hs; // size of source pixmap uchar *dptr; // data in target pixmap - int dbpl, dbytes; // bytes per line/bytes total + uint dbpl, dbytes; // bytes per line/bytes total uchar *sptr; // data in original pixmap int sbpl; // bytes per line in original int bpp; // bits per pixel @@ -1697,19 +1700,24 @@ QWMatrix mat( matrix.m11(), matrix.m12(), matrix.m21(), matrix.m22(), 0., 0. ); + double scaledWidth; + double scaledHeight; + if ( matrix.m12() == 0.0F && matrix.m21() == 0.0F ) { if ( matrix.m11() == 1.0F && matrix.m22() == 1.0F ) return *this; // identity matrix - h = qRound( matrix.m22()*hs ); - w = qRound( matrix.m11()*ws ); - h = QABS( h ); - w = QABS( w ); + scaledHeight = matrix.m22()*hs; + scaledWidth = matrix.m11()*ws; + h = QABS( qRound( scaledHeight ) ); + w = QABS( qRound( scaledWidth ) ); } else { // rotation or shearing QPointArray a( QRect(0,0,ws+1,hs+1) ); a = mat.map( a ); QRect r = a.boundingRect().normalize(); w = r.width()-1; h = r.height()-1; + scaledWidth = w; + scaledHeight = h; } mat = trueMatrix( mat, ws, hs ); // true matrix @@ -1718,7 +1726,8 @@ bool invertible; mat = mat.invert( &invertible ); // invert matrix - if ( h == 0 || w == 0 || !invertible ) { // error, return null pixmap + if ( h == 0 || w == 0 || !invertible + || QABS(scaledWidth) >= 32768 || QABS(scaledHeight) >= 32768 ) { // error, return null pixmap QPixmap pm; pm.data->bitmap = data->bitmap; return pm; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org