rpms/qt/devel utf8-bug-qt3-CVE-2007-0242.diff, NONE, 1.1 qt.spec, 1.138, 1.139
Than Ngo (than)
fedora-extras-commits at redhat.com
Wed Aug 29 17:18:58 UTC 2007
Author: than
Update of /cvs/extras/rpms/qt/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4301
Modified Files:
qt.spec
Added Files:
utf8-bug-qt3-CVE-2007-0242.diff
Log Message:
CVE-2007-0242 UTF8 improper character expansion
utf8-bug-qt3-CVE-2007-0242.diff:
--- NEW FILE utf8-bug-qt3-CVE-2007-0242.diff ---
--- src/codecs/qutfcodec.cpp
+++ src/codecs/qutfcodec.cpp
@@ -154,6 +154,7 @@
class QUtf8Decoder : public QTextDecoder {
uint uc;
+ uint min_uc;
int need;
bool headerDone;
public:
@@ -167,8 +168,9 @@
result.setLength( len ); // worst case
QChar *qch = (QChar *)result.unicode();
uchar ch;
+ int error = -1;
for (int i=0; i<len; i++) {
- ch = *chars++;
+ ch = chars[i];
if (need) {
if ( (ch&0xc0) == 0x80 ) {
uc = (uc << 6) | (ch & 0x3f);
@@ -182,6 +184,8 @@
*qch++ = QChar(high);
*qch++ = QChar(low);
headerDone = TRUE;
+ } else if ((uc < min_uc) || (uc >= 0xd800 && uc <= 0xdfff) || (uc >= 0xfffe)) {
+ *qch++ = QChar::replacement;
} else {
if (headerDone || QChar(uc) != QChar::byteOrderMark)
*qch++ = uc;
@@ -190,6 +194,7 @@
}
} else {
// error
+ i = error;
*qch++ = QChar::replacement;
need = 0;
}
@@ -200,12 +205,21 @@
} else if ((ch & 0xe0) == 0xc0) {
uc = ch & 0x1f;
need = 1;
+ error = i;
+ min_uc = 0x80;
} else if ((ch & 0xf0) == 0xe0) {
uc = ch & 0x0f;
need = 2;
+ error = i;
+ min_uc = 0x800;
} else if ((ch&0xf8) == 0xf0) {
uc = ch & 0x07;
need = 3;
+ error = i;
+ min_uc = 0x10000;
+ } else {
+ // error
+ *qch++ = QChar::replacement;
}
}
}
--- src/tools/qstring.cpp
+++ src/tools/qstring.cpp
@@ -5805,6 +5805,7 @@
result.setLength( len ); // worst case
QChar *qch = (QChar *)result.unicode();
uint uc = 0;
+ uint min_uc = 0;
int need = 0;
int error = -1;
uchar ch;
@@ -5822,6 +5823,12 @@
unsigned short low = uc%0x400 + 0xdc00;
*qch++ = QChar(high);
*qch++ = QChar(low);
+ } else if (uc < min_uc || (uc >= 0xd800 && uc <= 0xdfff) || (uc >= 0xfffe)) {
+ // overlong seqence, UTF16 surrogate or BOM
+ i = error;
+ qch = addOne(qch, result);
+ *qch++ = QChar(0xdbff);
+ *qch++ = QChar(0xde00+((uchar)utf8[i]));
} else {
*qch++ = uc;
}
@@ -5844,14 +5851,17 @@
uc = ch & 0x1f;
need = 1;
error = i;
+ min_uc = 0x80;
} else if ((ch & 0xf0) == 0xe0) {
uc = ch & 0x0f;
need = 2;
error = i;
+ min_uc = 0x800;
} else if ((ch&0xf8) == 0xf0) {
uc = ch & 0x07;
need = 3;
error = i;
+ min_uc = 0x10000;
} else {
// Error
qch = addOne(qch, result);
Index: qt.spec
===================================================================
RCS file: /cvs/extras/rpms/qt/devel/qt.spec,v
retrieving revision 1.138
retrieving revision 1.139
diff -u -r1.138 -r1.139
--- qt.spec 29 Aug 2007 12:15:28 -0000 1.138
+++ qt.spec 29 Aug 2007 17:18:25 -0000 1.139
@@ -1,7 +1,7 @@
Summary: The shared library for the Qt GUI toolkit.
Name: qt
Version: 3.3.8
-Release: 7%{?dist}
+Release: 7%{?dist}.1
Epoch: 1
License: GPL/QPL
Group: System Environment/Libraries
@@ -305,6 +305,7 @@
# security patches
%patch300 -p1 -b .CVE-2007-3388
+%patch301 -p0 -b .CVE-2007-0242
# convert to UTF-8
iconv -f iso-8859-1 -t utf-8 < doc/man/man3/qdial.3qt > doc/man/man3/qdial.3qt_
@@ -575,6 +576,9 @@
%changelog
+* Wed Aug 29 2007 Than Ngo <than at redhat.com> - 1:3.3.8-7.fc7.1
+- CVE-2007-0242
+
* Tue Aug 28 2007 Than Ngo <than at redhat.com> - 1:3.3.8-7
- CVE-2007-3388 qt3 format string flaw
- backport to fix #bz243722, bz#244148, Applications using qt-mysql crash if database is
More information about the fedora-extras-commits
mailing list