[OE-core] [PATCH 2/2] qt4-4.8.6: fix CVE-2014-0190
jackie.huang at windriver.com
jackie.huang at windriver.com
Wed Jun 18 09:41:31 UTC 2014
From: yzhu1 <yanjun.zhu at windriver.com>
The GIF decoder in QtGui in Qt before 5.3 allows remote attackers
to cause a denial of service (NULL pointer dereference) via
invalid width and height values in a GIF image.
Per: http://cwe.mitre.org/data/definitions/476.html
CWE-476: NULL Pointer Dereference
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0190
Signed-off-by: yzhu1 <yanjun.zhu at windriver.com>
Signed-off-by: Jackie Huang <jackie.huang at windriver.com>
---
meta/recipes-qt/qt4/qt4-4.8.6.inc | 1 +
.../qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch | 31 ++++++++++++++++++++++
2 files changed, 32 insertions(+)
create mode 100644 meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch
diff --git a/meta/recipes-qt/qt4/qt4-4.8.6.inc b/meta/recipes-qt/qt4/qt4-4.8.6.inc
index ae6692b..9db77c9 100644
--- a/meta/recipes-qt/qt4/qt4-4.8.6.inc
+++ b/meta/recipes-qt/qt4/qt4-4.8.6.inc
@@ -24,6 +24,7 @@ SRC_URI = "http://download.qt-project.org/official_releases/qt/4.8/${PV}/qt-ever
file://0028-Don-t-crash-on-broken-GIF-images.patch \
file://g++.conf \
file://linux.conf \
+ file://qt4-4.8.6-fix-CVE-2014-0190.patch \
"
SRC_URI[md5sum] = "2edbe4d6c2eff33ef91732602f3518eb"
diff --git a/meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch b/meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch
new file mode 100644
index 0000000..b8baea8
--- /dev/null
+++ b/meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch
@@ -0,0 +1,31 @@
+Upstream-status: Pending
+Don't crash on broken GIF images
+
+Broken GIF images could set invalid width and height
+values inside the image, leading to Qt creating a null
+QImage for it. In that case we need to abort decoding
+the image and return an error.
+
+Initial patch by Rich Moore.
+
+Task-number: QTBUG-38367
+Change-Id: Id82a4036f478bd6e49c402d6598f57e7e5bb5e1e
+Security-advisory: CVE-2014-0190
+Reviewed-by: Richard J. Moore <rich at kde.org>
+
+--- a/src/gui/image/qgifhandler.cpp
++++ b/src/gui/image/qgifhandler.cpp
+@@ -359,6 +359,13 @@ int QGIFFormat::decode(QImage *image, co
+ memset(bits, 0, image->byteCount());
+ }
+
++ // Check if the previous attempt to create the image failed. If it
++ // did then the image is broken and we should give up.
++ if (image->isNull()) {
++ state = Error;
++ return -1;
++ }
++
+ disposePrevious(image);
+ disposed = false;
+
--
2.0.0
More information about the Openembedded-core
mailing list