[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/kdelibs/FC-3-embargo kdelibs-3.3.1-CAN-2005-1046.patch, NONE, 1.1 kdelibs.spec, 1.78, 1.79



Update of /cvs/dist/rpms/kdelibs/FC-3-embargo
In directory cvs.devel.redhat.com:/tmp/cvs-serv24942

Modified Files:
	kdelibs.spec 
Added Files:
	kdelibs-3.3.1-CAN-2005-1046.patch 
Log Message:
- backport the patch to fix kimgio input validation vulnerabilities,
  CAN-2005-1046, #152093, thanks to KDE security team


kdelibs-3.3.1-CAN-2005-1046.patch:
 exr.cpp   |    2 
 g3r.cpp   |    2 
 jp2.cpp   |    5 +
 pcx.cpp   |  164 +++++++++++++++++++++++++++++++-------------------------------
 pcx.h     |   13 ++--
 tiffr.cpp |    4 +
 xview.cpp |   38 +++++---------
 7 files changed, 114 insertions(+), 114 deletions(-)

--- NEW FILE kdelibs-3.3.1-CAN-2005-1046.patch ---
--- kdelibs-3.3.1/kimgio/exr.cpp.orig	2004-06-22 13:36:40.000000000 -0400
+++ kdelibs-3.3.1/kimgio/exr.cpp	2005-04-18 10:26:24.000000000 -0400
@@ -136,6 +136,8 @@
         file.readPixels (dw.min.y, dw.max.y);
 
 		QImage image(width, height, 32, 0, QImage::BigEndian);
+		if( image.isNull())
+			return;
 
 		// somehow copy pixels into image
 		for ( int y=0; y < height; y++ ) {
--- kdelibs-3.3.1/kimgio/jp2.cpp.orig	2003-10-26 05:54:06.000000000 -0500
+++ kdelibs-3.3.1/kimgio/jp2.cpp	2005-04-18 10:26:24.000000000 -0400
@@ -157,8 +157,9 @@
 	void
 	draw_view_gray( gs_t& gs, QImage& qti )
 	{
-		qti.create( jas_image_width( gs.image ), jas_image_height( gs.image ),
-			8, 256 );
+		if( !qti.create( jas_image_width( gs.image ), jas_image_height( gs.image ),
+			8, 256 ))
+			return;
 		for( int i = 0; i < 256; ++i )
 			qti.setColor( i, qRgb( i, i, i ) );
 
--- kdelibs-3.3.1/kimgio/pcx.cpp.orig	2003-10-26 05:54:06.000000000 -0500
+++ kdelibs-3.3.1/kimgio/pcx.cpp	2005-04-18 10:26:24.000000000 -0400
@@ -1,5 +1,5 @@
 /* This file is part of the KDE project
-   Copyright (C) 2002-2003 Nadeem Hasan <nhasan kde org>
+   Copyright (C) 2002-2005 Nadeem Hasan <nhasan kde org>
 
    This program is free software; you can redistribute it and/or
    modify it under the terms of the GNU Lesser General Public
@@ -44,6 +44,11 @@
   s >> ph.HScreenSize;
   s >> ph.VScreenSize;
 
+  // Skip the rest of the header
+  Q_UINT8 byte;
+  while ( s.device()->at() < 128 )
+    s >> byte;
+
   return s;
 }
 
@@ -85,25 +90,22 @@
   return s;
 }
 
-static PCXHEADER header;
-static QImage img;
-static Q_UINT16 w, h;
-
-void PCXHEADER::reset()
+PCXHEADER::PCXHEADER()
 {
+  // Initialize all data to zero
   QByteArray dummy( 128 );
   dummy.fill( 0 );
   QDataStream s( dummy, IO_ReadOnly );
   s >> *this;
 }
 
-static void readLine( QDataStream &s, QByteArray &buf )
+static void readLine( QDataStream &s, QByteArray &buf, const PCXHEADER &header )
 {
   Q_UINT32 i=0;
   Q_UINT32 size = buf.size();
   Q_UINT8 byte, count;
 
-  if ( header.Encoding == 1 )
+  if ( header.isCompressed() )
   {
     // Uncompress the image data
     while ( i < size )
@@ -130,13 +132,14 @@
   }
 }
 
-static void readImage1( QDataStream &s )
+static void readImage1( QImage &img, QDataStream &s, const PCXHEADER &header )
 {
   QByteArray buf( header.BytesPerLine );
 
-  img.create( w, h, 1, 2, QImage::BigEndian );
+  if(!img.create( header.width(), header.height(), 1, 2, QImage::BigEndian ))
+    return;
 
-  for ( int y=0; y<h; ++y )
+  for ( int y=0; y<header.height(); ++y )
   {
     if ( s.atEnd() )
     {
@@ -144,10 +147,11 @@
       return;
     }
 
-    readLine( s, buf );
-
-    for ( int x=0; x<header.BytesPerLine; ++x )
-      *( img.scanLine( y )+x ) = buf[ x ];
+    readLine( s, buf, header );
+    uchar *p = img.scanLine( y );
+    unsigned int bpl = QMIN((header.width()+7)/8, header.BytesPerLine);
+    for ( unsigned int x=0; x< bpl; ++x )
+      p[ x ] = buf[x];
   }
 
   // Set the color palette
@@ -155,14 +159,15 @@
   img.setColor( 1, qRgb( 255, 255, 255 ) );
 }
 
-static void readImage4( QDataStream &s )
+static void readImage4( QImage &img, QDataStream &s, const PCXHEADER &header )
 {
   QByteArray buf( header.BytesPerLine*4 );
-  QByteArray pixbuf( w );
+  QByteArray pixbuf( header.width() );
 
-  img.create( w, h, 8, 16, QImage::IgnoreEndian );
+  if(!img.create( header.width(), header.height(), 8, 16 ))
+    return;
 
-  for ( int y=0; y<h; ++y )
+  for ( int y=0; y<header.height(); ++y )
   {
     if ( s.atEnd() )
     {
@@ -171,20 +176,19 @@
     }
 
     pixbuf.fill( 0 );
-    readLine( s, buf );
+    readLine( s, buf, header );
 
     for ( int i=0; i<4; i++ )
     {
       Q_UINT32 offset = i*header.BytesPerLine;
-      for ( int x=0; x<w; ++x )
+      for ( unsigned int x=0; x<header.width(); ++x )
         if ( buf[ offset + ( x/8 ) ] & ( 128 >> ( x%8 ) ) )
           pixbuf[ x ] += ( 1 << i );
     }
 
     uchar *p = img.scanLine( y );
-
-    for ( int x=0; x<w; ++x )
-      *p++ = pixbuf[ x ];
+    for ( unsigned int x=0; x<header.width(); ++x )
+      p[ x ] = pixbuf[ x ];
   }
 
   // Read the palette
@@ -192,13 +196,14 @@
     img.setColor( i, header.ColorMap.color( i ) );
 }
 
-static void readImage8( QDataStream &s )
+static void readImage8( QImage &img, QDataStream &s, const PCXHEADER &header )
 {
   QByteArray buf( header.BytesPerLine );
 
-  img.create( w, h, 8, 256, QImage::IgnoreEndian );
+  if(!img.create( header.width(), header.height(), 8, 256 ))
+    return;
 
-  for ( int y=0; y<h; ++y )
+  for ( int y=0; y<header.height(); ++y )
   {
     if ( s.atEnd() )
     {
@@ -206,19 +211,19 @@
       return;
     }
 
-    readLine( s, buf );
+    readLine( s, buf, header );
 
     uchar *p = img.scanLine( y );
-
-    for ( int x=0; x<header.BytesPerLine; ++x )
-      *p++ = buf[ x ];
+    unsigned int bpl = QMIN(header.BytesPerLine, header.width());
+    for ( unsigned int x=0; x<bpl; ++x )
+      p[ x ] = buf[ x ];
   }
 
   Q_UINT8 flag;
   s >> flag;
-  kdDebug() << "Flag: " << flag << endl;
+  kdDebug( 399 ) << "Palette Flag: " << flag << endl;
 
-  if ( flag == 12 && header.Version == 5 )
+  if ( flag == 12 && ( header.Version == 5 || header.Version == 2 ) )
   {
     // Read the palette
     Q_UINT8 r, g, b;
@@ -230,15 +235,16 @@
   }
 }
 
-static void readImage24( QDataStream &s )
+static void readImage24( QImage &img, QDataStream &s, const PCXHEADER &header )
 {
   QByteArray r_buf( header.BytesPerLine );
   QByteArray g_buf( header.BytesPerLine );
   QByteArray b_buf( header.BytesPerLine );
 
-  img.create( w, h, 32 );
+  if(!img.create( header.width(), header.height(), 32 ))
+    return;
 
-  for ( int y=0; y<h; ++y )
+  for ( int y=0; y<header.height(); ++y )
   {
     if ( s.atEnd() )
     {
@@ -246,14 +252,13 @@
       return;
     }
 
-    readLine( s, r_buf );
-    readLine( s, g_buf );
-    readLine( s, b_buf );
+    readLine( s, r_buf, header );
+    readLine( s, g_buf, header );
+    readLine( s, b_buf, header );
 
     uint *p = ( uint * )img.scanLine( y );
-
-    for ( int x=0; x<header.BytesPerLine; ++x )
-      *p++ = qRgb( r_buf[ x ], g_buf[ x ], b_buf[ x ] );
+    for ( unsigned int x=0; x<header.width(); ++x )
+      p[ x ] = qRgb( r_buf[ x ], g_buf[ x ], b_buf[ x ] );
   }
 }
 
@@ -268,6 +273,8 @@
     return;
   }
 
+  PCXHEADER header;
+
   s >> header;
 
   if ( header.Manufacturer != 10 || s.atEnd())
@@ -276,10 +283,8 @@
     return;
   }
 
-  w = ( header.XMax-header.XMin ) + 1;
-  h = ( header.YMax-header.YMin ) + 1;
-
-  img.reset();
+  int w = header.width();
+  int h = header.height();
 
   kdDebug( 399 ) << "Manufacturer: " << header.Manufacturer << endl;
   kdDebug( 399 ) << "Version: " << header.Version << endl;
@@ -288,30 +293,27 @@
   kdDebug( 399 ) << "Width: " << w << endl;
   kdDebug( 399 ) << "Height: " << h << endl;
   kdDebug( 399 ) << "Window: " << header.XMin << "," << header.XMax << "," 
-            << header.YMin << "," << header.YMax << endl;
+                 << header.YMin << "," << header.YMax << endl;
   kdDebug( 399 ) << "BytesPerLine: " << header.BytesPerLine << endl;
   kdDebug( 399 ) << "NPlanes: " << header.NPlanes << endl;
 
-  // Skip the rest of the header
-  Q_UINT8 byte;
-  while ( s.device()->at() < 128 )
-    s >> byte;
+  QImage img;
 
   if ( header.Bpp == 1 && header.NPlanes == 1 )
   {
-    readImage1( s );
+    readImage1( img, s, header );
   }
   else if ( header.Bpp == 1 && header.NPlanes == 4 )
   {
-    readImage4( s );
+    readImage4( img, s, header );
   }
   else if ( header.Bpp == 8 && header.NPlanes == 1 )
   {
-    readImage8( s );
+    readImage8( img, s, header );
   }
   else if ( header.Bpp == 8 && header.NPlanes == 3 )
   {
-    readImage24( s );
+    readImage24( img, s, header );
   }
 
   kdDebug( 399 ) << "Image Bytes: " << img.numBytes() << endl;
@@ -359,7 +361,7 @@
   }
 }
 
-static void writeImage1( QDataStream &s )
+static void writeImage1( QImage &img, QDataStream &s, PCXHEADER &header )
 {
   img = img.convertBitOrder( QImage::BigEndian );
 
@@ -367,29 +369,27 @@
   header.NPlanes = 1;
   header.BytesPerLine = img.bytesPerLine();
 
-  header.ColorMap.setColor( 0, qRgb( 0, 0, 0 ) );
-  header.ColorMap.setColor( 1, qRgb( 255, 255, 255 ) );
-
   s << header;
 
   QByteArray buf( header.BytesPerLine );
 
-  for ( int y=0; y<h; ++y )
+  for ( int y=0; y<header.height(); ++y )
   {
     Q_UINT8 *p = img.scanLine( y );
 
+    // Invert as QImage uses reverse palette for monochrome images?
     for ( int i=0; i<header.BytesPerLine; ++i )
-      buf[ i ] = p[ i ];
+      buf[ i ] = ~p[ i ];
 
     writeLine( s, buf );
   }
 }
 
-static void writeImage4( QDataStream &s )
+static void writeImage4( QImage &img, QDataStream &s, PCXHEADER &header )
 {
   header.Bpp = 1;
   header.NPlanes = 4;
-  header.BytesPerLine = w/8;
+  header.BytesPerLine = header.width()/8;
 
   for ( int i=0; i<16; ++i )
     header.ColorMap.setColor( i, img.color( i ) );
@@ -401,14 +401,14 @@
   for ( int i=0; i<4; ++i )
       buf[ i ].resize( header.BytesPerLine );
 
-  for ( int y=0; y<h; ++y )
+  for ( int y=0; y<header.height(); ++y )
   {
     Q_UINT8 *p = img.scanLine( y );
 
     for ( int i=0; i<4; ++i )
       buf[ i ].fill( 0 );
 
-    for ( int x=0; x<w; ++x )
+    for ( unsigned int x=0; x<header.width(); ++x )
     {
       for ( int i=0; i<4; ++i )
         if ( *( p+x ) & ( 1 << i ) )
@@ -420,7 +420,7 @@
   }
 }
 
-static void writeImage8( QDataStream &s )
+static void writeImage8( QImage &img, QDataStream &s, PCXHEADER &header )
 {
   header.Bpp = 8;
   header.NPlanes = 1;
@@ -430,7 +430,7 @@
 
   QByteArray buf( header.BytesPerLine );
 
-  for ( int y=0; y<h; ++y )
+  for ( int y=0; y<header.height(); ++y )
   {
     Q_UINT8 *p = img.scanLine( y );
 
@@ -449,23 +449,23 @@
     s << RGB( img.color( i ) );
 }
 
-static void writeImage24( QDataStream &s )
+static void writeImage24( QImage &img, QDataStream &s, PCXHEADER &header )
 {
   header.Bpp = 8;
   header.NPlanes = 3;
-  header.BytesPerLine = w;
+  header.BytesPerLine = header.width();
 
   s << header;
 
-  QByteArray r_buf( w );
-  QByteArray g_buf( w );
-  QByteArray b_buf( w );
+  QByteArray r_buf( header.width() );
+  QByteArray g_buf( header.width() );
+  QByteArray b_buf( header.width() );
 
-  for ( int y=0; y<h; ++y )
+  for ( int y=0; y<header.height(); ++y )
   {
     uint *p = ( uint * )img.scanLine( y );
 
-    for ( int x=0; x<w; ++x )
+    for ( unsigned int x=0; x<header.width(); ++x )
     {
       QRgb rgb = *p++;
       r_buf[ x ] = qRed( rgb );
@@ -484,10 +484,10 @@
   QDataStream s( io->ioDevice() );
   s.setByteOrder( QDataStream::LittleEndian );
 
-  img = io->image();
+  QImage img = io->image();
 
-  w = img.width();
-  h = img.height();
+  int w = img.width();
+  int h = img.height();
 
   kdDebug( 399 ) << "Width: " << w << endl;
   kdDebug( 399 ) << "Height: " << h << endl;
@@ -495,6 +495,8 @@
   kdDebug( 399 ) << "BytesPerLine: " << img.bytesPerLine() << endl;
   kdDebug( 399 ) << "Num Colors: " << img.numColors() << endl;
 
+  PCXHEADER header;
+
   header.Manufacturer = 10;
   header.Version = 5;
   header.Encoding = 1;
@@ -509,19 +511,19 @@
 
   if ( img.depth() == 1 )
   {
-    writeImage1( s );
+    writeImage1( img, s, header );
   }
   else if ( img.depth() == 8 && img.numColors() <= 16 )
   {
-    writeImage4( s );
+    writeImage4( img, s, header );
   }
   else if ( img.depth() == 8 )
   {
-    writeImage8( s );
+    writeImage8( img, s, header );
   }
   else if ( img.depth() == 32 )
   {
-    writeImage24( s );
+    writeImage24( img, s, header );
   }
 
   io->setStatus( 0 );
--- kdelibs-3.3.1/kimgio/pcx.h.orig	2003-01-03 19:48:25.000000000 -0500
+++ kdelibs-3.3.1/kimgio/pcx.h	2005-04-18 10:26:24.000000000 -0400
@@ -49,7 +49,7 @@
       rgb[ i ] = RGB( color );
     }
 
-    QRgb color( int i )
+    QRgb color( int i ) const
     {
       return qRgb( rgb[ i ].r, rgb[ i ].g, rgb[ i ].b );
     }
@@ -60,12 +60,11 @@
 class PCXHEADER
 {
   public:
-    PCXHEADER()
-    {
-      reset();
-    }
+    PCXHEADER();
 
-    void reset();
+    inline int width() const { return ( XMax-XMin ) + 1; }
+    inline int height() const { return ( YMax-YMin ) + 1; }
+    inline bool isCompressed() const { return ( Encoding==1 ); }
 
     Q_UINT8  Manufacturer;    // Constant Flag, 10 = ZSoft .pcx
     Q_UINT8  Version;         // Version information·
@@ -99,7 +98,7 @@
                               // found only in PB IV/IV Plus
     Q_UINT16 VScreenSize;     // Vertical screen size in pixels. New field
                               // found only in PB IV/IV Plus
-};
+} KDE_PACKED;
 
 #endif // PCX_H
 
--- kdelibs-3.3.1/kimgio/tiffr.cpp.orig	2004-06-22 13:36:40.000000000 -0400
+++ kdelibs-3.3.1/kimgio/tiffr.cpp	2005-04-18 10:38:28.000000000 -0400
@@ -83,6 +83,10 @@
             return;
 
 	QImage image( width, height, 32 );
+	if( image.isNull()) {
+		TIFFClose( tiff );
+		return;
+	}
 	data = (uint32 *)image.bits();
 
 	//Sven: changed to %ld for 64bit machines
--- kdelibs-3.3.1/kimgio/xview.cpp.orig	2003-09-07 08:17:55.000000000 -0400
+++ kdelibs-3.3.1/kimgio/xview.cpp	2005-04-18 10:29:13.000000000 -0400
@@ -7,12 +7,16 @@
 
 #include <stdio.h>
 #include <string.h>
+#include <stdlib.h>
 #include <qimage.h>
 
 #include "xview.h"
 
 #define BUFSIZE 1024
 
+static const int b_255_3[]= {0,85,170,255},  // index*255/3
+            rg_255_7[]={0,36,72,109,145,182,218,255}; // index *255/7
+
 void kimgio_xv_read( QImageIO *_imageio )
 {      
 	int x=-1;
@@ -48,10 +52,14 @@
 	sscanf(str, "%d %d %d", &x, &y, &maxval);
 
 	if (maxval != 255) return;
+	int blocksize = x*y;
+        if(x < 0 || y < 0 || blocksize < x || blocksize < y)
+            return;
 
 	// now follows a binary block of x*y bytes. 
-	int blocksize = x*y;
-	char *block = new char[ blocksize ];
+	char *block = (char*) malloc(blocksize);
+        if(!block)
+            return;
 
 	if (iodev->readBlock(block, blocksize) != blocksize ) 
 	{
@@ -60,6 +68,10 @@
 
 	// Create the image
 	QImage image( x, y, 8, maxval + 1, QImage::BigEndian );
+	if( image.isNull()) {
+                free(block);
+		return;
+        }
 
 	// how do the color handling? they are absolute 24bpp
 	// or at least can be calculated as such.
@@ -67,29 +79,9 @@
 
 	for ( int j = 0; j < 256; j++ )
 	{
-// ----------- OLIVER EIDEN
-// 	That is the old-code !
-/*		r =  ((int) ((j >> 5) & 0x07)) << 5;
-		g =  ((int) ((j >> 2) & 0x07)) << 5;
-		b =  ((int) ((j >> 0) & 0x03)) << 6;*/
-
-
-// 	That is the code-how xv, decode 3-3-2 pixmaps, it is slighly different,
-//	but yields much better visuals results
-/*		r =  (((int) ((j >> 5) & 0x07)) *255) / 7;
-		g =  (((int) ((j >> 2) & 0x07)) *255) / 7;
-		b =  (((int) ((j >> 0) & 0x03)) *255) / 3;*/
-
-//	This is the same as xv, with multiplications/divisions replaced by indexing
-
-//      Look-up table to avoid multiplications and divisons
-	static int b_255_3[]= {0,85,170,255},  // index*255/3
-		   rg_255_7[]={0,36,72,109,145,182,218,255}; // index *255/7
-
 		r =  rg_255_7[((j >> 5) & 0x07)];
 		g =  rg_255_7[((j >> 2) & 0x07)];
 		b =  b_255_3[((j >> 0) & 0x03)];
-// ---------------
 		image.setColor( j, qRgb( r, g, b ) );
 	}
 
@@ -102,7 +94,7 @@
 	_imageio->setImage( image );
 	_imageio->setStatus( 0 );
 
-	delete [] block;
+	free(block);
 	return;
 }
 
--- kdelibs-3.3.1/kimgio/g3r.cpp.orig	2005-04-18 10:35:52.000000000 -0400
+++ kdelibs-3.3.1/kimgio/g3r.cpp	2005-04-18 10:36:18.000000000 -0400
@@ -28,7 +28,7 @@
 
   QImage image(width, height, 1, 0, QImage::BigEndian);
   
-  if (scanlength != image.bytesPerLine())
+  if (image.isNull() || scanlength != image.bytesPerLine())
     {
       TIFFClose(tiff);
       return;


Index: kdelibs.spec
===================================================================
RCS file: /cvs/dist/rpms/kdelibs/FC-3-embargo/kdelibs.spec,v
retrieving revision 1.78
retrieving revision 1.79
diff -u -r1.78 -r1.79
--- kdelibs.spec	23 Mar 2005 11:07:08 -0000	1.78
+++ kdelibs.spec	18 Apr 2005 15:06:18 -0000	1.79
@@ -16,7 +16,7 @@
 %define arts 1
 
 Version: 3.3.1
-Release: 2.9.FC3
+Release: 2.10.FC3
 Summary: K Desktop Environment - Libraries
 Name: kdelibs
 Url: http://www.kde.org/
@@ -71,6 +71,9 @@
 # CAN-2005-0237, Konqueror International Domain Name Spoofing
 Patch207: post-3.3.2-kdelibs-idn-2.patch
 
+# CAN-2005-1046, kimgio input validation vulnerabilities
+Patch208: kdelibs-3.3.1-CAN-2005-1046.patch
+
 %if %{arts}
 Requires: arts >= %{arts_version}
 %endif
@@ -206,6 +209,7 @@
 %patch205 -p0 -b .CAN-2005-0365
 %patch206 -p0 -b .CAN-2005-0396
 %patch207 -p0 -b .CAN-2005-0237
+%patch208 -p1 -b .CAN-2005-1046
 
 # add redhat into KDE_VERSION_STRING
 %if %{redhatify}
@@ -429,6 +433,10 @@
 %doc %{_docdir}/HTML/en/kdelibs*
 
 %changelog
+* Mon Apr 18 2005 Than Ngo <than redhat com> 6:3.3.1-2.10.FC3
+- backport the patch to fix kimgio input validation vulnerabilities,
+  CAN-2005-1046, #152093, thanks to KDE security team
+
 * Wed Mar 23 2005 Than Ngo <than redhat com> 6:3.3.1-2.9.FC3
 - Applied patch to fix konqueror international domain name spoofing,
   CAN-2005-0237, #147405


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]