Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/x11-libs/qt/files/qt-3.3.6-CVE-2006-4811-bis.patch
blob: 9a42a34bb29454855cd8f681d64e89e71aa88e71 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140

--- //depot/qt/3/src/kernel/qfontengine_x11.cpp	Thu Oct 19 14:41:41 CEST 2006
+++ //depot/qt/3/src/kernel/qfontengine_x11.cpp	Thu Oct 19 14:41:41 CEST 2006

@@ -171,7 +171,8 @@
 
     QRect br = xmat.mapRect(QRect(x, y - si->ascent, w, h));
     QRect br2 = br & pdevRect;
-    if (br2.width() <= 0 || br2.height() <= 0)
+    if (br2.width() <= 0 || br2.height() <= 0
+        || br2.width() >= 32768 || br2.height() >= 32768)
         return;
     QWMatrix mat = QPixmap::trueMatrix( xmat, w, h );
     QBitmap wx_bm = ::transform(dpy, bm, br2.x() - br.x(), br2.y() - br.y(), br2.width(), br2.height(), mat);

--- //depot/qt/3/src/kernel/qimage.cpp	Thu Oct 19 14:41:41 CEST 2006
+++ //depot/qt/3/src/kernel/qimage.cpp	Thu Oct 19 14:41:41 CEST 2006

@@ -475,7 +475,12 @@
 		Endian bitOrder )
 {
     init();
-    if ( w <= 0 || h <= 0 || depth <= 0 || numColors < 0 )
+    int bpl = ((w*depth+31)/32)*4;	// bytes per scanline
+    if ( w <= 0 || h <= 0 || depth <= 0 || numColors < 0
+         || INT_MAX / sizeof(uchar *) < uint(h)
+         || INT_MAX / uint(depth) < uint(w)
+         || bpl <= 0
+         || INT_MAX / uint(bpl) < uint(h) )
 	return;					// invalid parameter(s)
     data->w = w;
     data->h = h;
@@ -483,7 +488,6 @@
     data->ncols = depth != 32 ? numColors : 0;
     if ( !yourdata )
 	return;	    // Image header info can be saved without needing to allocate memory.
-    int bpl = ((w*depth+31)/32)*4;	// bytes per scanline
     data->nbytes = bpl*h;
     if ( colortable || !data->ncols ) {
 	data->ctbl = colortable;
@@ -525,7 +529,10 @@
 		Endian bitOrder )
 {
     init();
-    if ( !yourdata || w <= 0 || h <= 0 || depth <= 0 || numColors < 0 )
+    if ( !yourdata || w <= 0 || h <= 0 || depth <= 0 || numColors < 0
+         || INT_MAX / sizeof(uchar *) < uint(h)
+         || INT_MAX / uint(bpl) < uint(h)
+         )
 	return;					// invalid parameter(s)
     data->w = w;
     data->h = h;
@@ -1264,7 +1271,7 @@
     if ( data->ncols != numColors )		// could not alloc color table
 	return FALSE;
 
-    if ( INT_MAX / depth < width) { // sanity check for potential overflow
+    if ( INT_MAX / uint(depth) < uint(width) ) { // sanity check for potential overflow
 	setNumColors( 0 );
 	return FALSE;
     }
@@ -1277,7 +1284,9 @@
     // #### WWA: shouldn't this be (width*depth+7)/8:
     const int pad = bpl - (width*depth)/8;	// pad with zeros
 #endif
-    if (INT_MAX / bpl < height) { // sanity check for potential overflow
+    if ( INT_MAX / uint(bpl) < uint(height)
+        || bpl < 0
+        || INT_MAX / sizeof(uchar *) < uint(height) ) { // sanity check for potential overflow
 	setNumColors( 0 );
 	return FALSE;
     }

--- //depot/qt/3/src/kernel/qpixmap_x11.cpp	Thu Oct 19 14:41:41 CEST 2006
+++ //depot/qt/3/src/kernel/qpixmap_x11.cpp	Thu Oct 19 14:41:41 CEST 2006

@@ -953,6 +953,9 @@
     bool force_mono = (dd == 1 || isQBitmap() ||
 		       (conversion_flags & ColorMode_Mask)==MonoOnly );
 
+    if ( w >= 32768 || h >= 32768 )
+        return FALSE;
+
     // get rid of the mask
     delete data->mask;
     data->mask = 0;
@@ -1678,11 +1681,11 @@
 
 QPixmap QPixmap::xForm( const QWMatrix &matrix ) const
 {
-    int	   w = 0;
-    int	   h = 0;				// size of target pixmap
-    int	   ws, hs;				// size of source pixmap
+    uint   w = 0;
+    uint   h = 0;				// size of target pixmap
+    uint   ws, hs;				// size of source pixmap
     uchar *dptr;				// data in target pixmap
-    int	   dbpl, dbytes;			// bytes per line/bytes total
+    uint   dbpl, dbytes;			// bytes per line/bytes total
     uchar *sptr;				// data in original pixmap
     int	   sbpl;				// bytes per line in original
     int	   bpp;					// bits per pixel
@@ -1697,19 +1700,24 @@
 
     QWMatrix mat( matrix.m11(), matrix.m12(), matrix.m21(), matrix.m22(), 0., 0. );
 
+    double scaledWidth;
+    double scaledHeight;
+
     if ( matrix.m12() == 0.0F && matrix.m21() == 0.0F ) {
 	if ( matrix.m11() == 1.0F && matrix.m22() == 1.0F )
 	    return *this;			// identity matrix
-	h = qRound( matrix.m22()*hs );
-	w = qRound( matrix.m11()*ws );
-	h = QABS( h );
-	w = QABS( w );
+	scaledHeight = matrix.m22()*hs;
+	scaledWidth = matrix.m11()*ws;
+	h = QABS( qRound( scaledHeight ) );
+	w = QABS( qRound( scaledWidth ) );
     } else {					// rotation or shearing
 	QPointArray a( QRect(0,0,ws+1,hs+1) );
 	a = mat.map( a );
 	QRect r = a.boundingRect().normalize();
 	w = r.width()-1;
 	h = r.height()-1;
+        scaledWidth = w;
+        scaledHeight = h;
     }
 
     mat = trueMatrix( mat, ws, hs ); // true matrix
@@ -1718,7 +1726,8 @@
     bool invertible;
     mat = mat.invert( &invertible );		// invert matrix
 
-    if ( h == 0 || w == 0 || !invertible ) {	// error, return null pixmap
+    if ( h == 0 || w == 0 || !invertible
+         || QABS(scaledWidth) >= 32768 || QABS(scaledHeight) >= 32768 ) {	// error, return null pixmap
 	QPixmap pm;
 	pm.data->bitmap = data->bitmap;
 	return pm;