- Add patch to fix buffer overflows (boo#1123281):

* 0001-Fix-various-OOB-reads-and-writes-in-kimg_tga-and-kim.patch OBS-URL: https://build.opensuse.org/package/show/KDE:Frameworks5/kimageformats?expand=0&rev=161
2019-01-28 13:30:51 +00:00 · 2019-01-28 13:30:51 +00:00 · 863dc72219
commit 863dc72219
parent 2e3e08bca1
3 changed files with 120 additions and 1 deletions
--- a/0001-Fix-various-OOB-reads-and-writes-in-kimg_tga-and-kim.patch
+++ b/0001-Fix-various-OOB-reads-and-writes-in-kimg_tga-and-kim.patch
@ -0,0 +1,111 @@
+From 20b6fef093ab276a532d015a192e62d7219c939a Mon Sep 17 00:00:00 2001
+From: Fabian Vogt <fabian@ritter-vogt.de>
+Date: Sun, 20 Jan 2019 12:51:02 +0100
+Subject: [PATCH] Fix various OOB reads and writes in kimg_tga and kimg_xcf
+
+Test Plan: No crash anymore.
+
+Reviewers: aacid
+
+Subscribers: kde-frameworks-devel
+
+Tags: #frameworks
+
+Differential Revision: https://phabricator.kde.org/D18574
+---
+ src/imageformats/tga.cpp | 27 +++++++++++++++++++++++----
+ src/imageformats/xcf.cpp |  3 ++-
+ 2 files changed, 25 insertions(+), 5 deletions(-)
+
+diff --git a/src/imageformats/tga.cpp b/src/imageformats/tga.cpp
+index 3a22b45..9217bed 100644
+--- a/src/imageformats/tga.cpp
+++ b/src/imageformats/tga.cpp
+@@ -189,7 +189,7 @@ static bool LoadTGA(QDataStream &s, const TgaHeader &tga, QImage &img)
+     }
+ 
+     uint pixel_size = (tga.pixel_size / 8);
+-    uint size = tga.width * tga.height * pixel_size;
+    qint64 size = qint64(tga.width) * qint64(tga.height) * pixel_size;
+ 
+     if (size < 1) {
+ //          qDebug() << "This TGA file is broken with size " << size;
+@@ -204,20 +204,34 @@ static bool LoadTGA(QDataStream &s, const TgaHeader &tga, QImage &img)
+     }
+ 
+     // Allocate image.
+-    uchar *const image = new uchar[size];
+    uchar *const image = reinterpret_cast<uchar*>(malloc(size));
+    if (!image) {
+        return false;
+    }
+
+    bool valid = true;
+ 
+     if (info.rle) {
+         // Decode image.
+         char *dst = (char *)image;
+-        int num = size;
+        qint64 num = size;
+ 
+         while (num > 0) {
+            if (s.atEnd()) {
+                valid = false;
+                break;
+            }
+
+             // Get packet header.
+             uchar c;
+             s >> c;
+ 
+             uint count = (c & 0x7f) + 1;
+             num -= count * pixel_size;
+            if (num < 0) {
+                valid = false;
+                break;
+            }
+ 
+             if (c & 0x80) {
+                 // RLE pixels.
+@@ -240,6 +254,11 @@ static bool LoadTGA(QDataStream &s, const TgaHeader &tga, QImage &img)
+         s.readRawData((char *)image, size);
+     }
+ 
+    if (!valid) {
+        free(image);
+        return false;
+    }
+
+     // Convert image to internal format.
+     int y_start, y_step, y_end;
+     if (tga.flags & TGA_ORIGIN_UPPER) {
+@@ -294,7 +313,7 @@ static bool LoadTGA(QDataStream &s, const TgaHeader &tga, QImage &img)
+     }
+ 
+     // Free image.
+-    delete [] image;
+    free(image);
+ 
+     return true;
+ }
+diff --git a/src/imageformats/xcf.cpp b/src/imageformats/xcf.cpp
+index 758b65e..824d67a 100644
+--- a/src/imageformats/xcf.cpp
+++ b/src/imageformats/xcf.cpp
+@@ -489,11 +489,12 @@ bool XCFImageFormat::loadProperty(QDataStream &xcf_io, PropType &type, QByteArra
+         quint32 ncolors;
+         xcf_io >> ncolors;
+ 
+        size = 3 * ncolors + 4;
+
+         if (size > 65535 || size < 4) {
+             return false;
+         }
+ 
+-        size = 3 * ncolors + 4;
+         data = new char[size];
+ 
+         // since we already read "ncolors" from the stream, we put that data back
+-- 
+2.20.1
+
--- a/kimageformats.changes
+++ b/kimageformats.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Jan 28 13:30:26 UTC 2019 - Fabian Vogt <fabian@ritter-vogt.de>
+
+- Add patch to fix buffer overflows (boo#1123281):
+  * 0001-Fix-various-OOB-reads-and-writes-in-kimg_tga-and-kim.patch
+
 -------------------------------------------------------------------
 Wed Jan 23 17:47:54 UTC 2019 - Fabian Vogt <fabian@ritter-vogt.de>

--- a/kimageformats.spec
+++ b/kimageformats.spec
@ -30,6 +30,8 @@ Group:          System/GUI/KDE
 URL:            https://www.kde.org
 Source:         http://download.kde.org/stable/frameworks/%{_tar_path}/%{name}-%{version}.tar.xz
 Source1:        baselibs.conf
+# PATCH-FIX-UPSTREAM
+Patch001:       0001-Fix-various-OOB-reads-and-writes-in-kimg_tga-and-kim.patch
 BuildRequires:  cmake >= 3.0
 BuildRequires:  extra-cmake-modules >= %{_kf5_bugfix_version}
 BuildRequires:  fdupes
@ -62,7 +64,7 @@ it invokes ghostscript for conversion, it should only be used in trusted
 environments.

 %prep
-%setup -q
+%autosetup -p1

 %build
  %cmake_kf5 -d build