[OE-core] [PATCH 2/2] qt4-4.8.6: fix CVE-2014-0190

jackie.huang at windriver.com jackie.huang at windriver.com
Wed Jun 18 09:41:31 UTC 2014 

From: yzhu1 <yanjun.zhu at windriver.com>

The GIF decoder in QtGui in Qt before 5.3 allows remote attackers
to cause a denial of service (NULL pointer dereference) via
invalid width and height values in a GIF image.
Per: http://cwe.mitre.org/data/definitions/476.html

CWE-476: NULL Pointer Dereference

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0190
Signed-off-by: yzhu1 <yanjun.zhu at windriver.com>
Signed-off-by: Jackie Huang <jackie.huang at windriver.com>
---
 meta/recipes-qt/qt4/qt4-4.8.6.inc                  |  1 +
 .../qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch    | 31 ++++++++++++++++++++++
 2 files changed, 32 insertions(+)
 create mode 100644 meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch

diff --git a/meta/recipes-qt/qt4/qt4-4.8.6.inc b/meta/recipes-qt/qt4/qt4-4.8.6.inc
index ae6692b..9db77c9 100644
--- a/meta/recipes-qt/qt4/qt4-4.8.6.inc
+++ b/meta/recipes-qt/qt4/qt4-4.8.6.inc
@@ -24,6 +24,7 @@ SRC_URI = "http://download.qt-project.org/official_releases/qt/4.8/${PV}/qt-ever
            file://0028-Don-t-crash-on-broken-GIF-images.patch \
            file://g++.conf \
            file://linux.conf \
+           file://qt4-4.8.6-fix-CVE-2014-0190.patch \
            "
 
 SRC_URI[md5sum] = "2edbe4d6c2eff33ef91732602f3518eb"
diff --git a/meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch b/meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch
new file mode 100644
index 0000000..b8baea8
--- /dev/null
+++ b/meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch
@@ -0,0 +1,31 @@
+Upstream-status: Pending
+Don't crash on broken GIF images
+
+Broken GIF images could set invalid width and height
+values inside the image, leading to Qt creating a null
+QImage for it. In that case we need to abort decoding
+the image and return an error.
+
+Initial patch by Rich Moore.
+
+Task-number: QTBUG-38367
+Change-Id: Id82a4036f478bd6e49c402d6598f57e7e5bb5e1e
+Security-advisory: CVE-2014-0190
+Reviewed-by: Richard J. Moore <rich at kde.org>
+
+--- a/src/gui/image/qgifhandler.cpp
++++ b/src/gui/image/qgifhandler.cpp
+@@ -359,6 +359,13 @@ int QGIFFormat::decode(QImage *image, co
+                     memset(bits, 0, image->byteCount());
+                 }
+ 
++                // Check if the previous attempt to create the image failed. If it
++                // did then the image is broken and we should give up.
++                if (image->isNull()) {
++                    state = Error;
++                    return -1;
++                }
++
+                 disposePrevious(image);
+                 disposed = false;
+ 
-- 
2.0.0

More information about the Openembedded-core mailing list