diff --git a/SOURCES/qt-bmp-image-handler-check-for-out-of-range-image-size.patch b/SOURCES/qt-bmp-image-handler-check-for-out-of-range-image-size.patch
new file mode 100644
index 0000000..d2b24b0
--- /dev/null
+++ b/SOURCES/qt-bmp-image-handler-check-for-out-of-range-image-size.patch
@@ -0,0 +1,14 @@
+diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
+index 078c5993..5165bf19 100644
+--- a/src/gui/image/qbmphandler.cpp
++++ b/src/gui/image/qbmphandler.cpp
+@@ -181,7 +181,8 @@ static bool read_dib_infoheader(QDataStream &s, BMP_INFOHDR &bi)
+ if (!(comp == BMP_RGB || (nbits == 4 && comp == BMP_RLE4) ||
+ (nbits == 8 && comp == BMP_RLE8) || ((nbits == 16 || nbits == 32) && comp == BMP_BITFIELDS)))
+ return false; // weird compression type
+-
++ if (bi.biWidth < 0 || quint64(bi.biWidth) * qAbs(bi.biHeight) > 16384 * 16384)
++ return false;
+ return true;
+ }
+
diff --git a/SOURCES/qt-check-for-qimage-allocation-failure-in-qgifhandler.patch b/SOURCES/qt-check-for-qimage-allocation-failure-in-qgifhandler.patch
new file mode 100644
index 0000000..9ab940e
--- /dev/null
+++ b/SOURCES/qt-check-for-qimage-allocation-failure-in-qgifhandler.patch
@@ -0,0 +1,25 @@
+diff --git a/src/gui/image/qgifhandler.cpp b/src/gui/image/qgifhandler.cpp
+index 2a9217a2..28823f84 100644
+--- a/src/gui/image/qgifhandler.cpp
++++ b/src/gui/image/qgifhandler.cpp
+@@ -356,7 +356,8 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length,
+ (*image) = QImage(swidth, sheight, format);
+ bpl = image->bytesPerLine();
+ bits = image->bits();
+- memset(bits, 0, image->byteCount());
++ if (bits)
++ memset(bits, 0, image->byteCount());
+ }
+
+ // Check if the previous attempt to create the image failed. If it
+@@ -417,6 +418,10 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length,
+ backingstore = QImage(qMax(backingstore.width(), w),
+ qMax(backingstore.height(), h),
+ QImage::Format_RGB32);
++ if (backingstore.isNull()) {
++ state = Error;
++ return -1;
++ }
+ memset(bits, 0, image->byteCount());
+ }
+ const int dest_bpl = backingstore.bytesPerLine();
diff --git a/SOURCES/qt-fix-crash-in-qppmhandler-for-certain-malformed-images.patch b/SOURCES/qt-fix-crash-in-qppmhandler-for-certain-malformed-images.patch
new file mode 100644
index 0000000..674622d
--- /dev/null
+++ b/SOURCES/qt-fix-crash-in-qppmhandler-for-certain-malformed-images.patch
@@ -0,0 +1,13 @@
+diff --git a/src/gui/image/qppmhandler.cpp b/src/gui/image/qppmhandler.cpp
+index 9cacfab2..6ab58b25 100644
+--- a/src/gui/image/qppmhandler.cpp
++++ b/src/gui/image/qppmhandler.cpp
+@@ -108,7 +108,7 @@ static bool read_pbm_header(QIODevice *device, char& type, int& w, int& h, int&
+ else
+ mcc = read_pbm_int(device); // get max color component
+
+- if (w <= 0 || w > 32767 || h <= 0 || h > 32767 || mcc <= 0)
++ if (w <= 0 || w > 32767 || h <= 0 || h > 32767 || mcc <= 0 || mcc > 0xffff)
+ return false; // weird P.M image
+
+ return true;
diff --git a/SOURCES/qt-fix-possible-heap-corruption-in-qxmlstream.patch b/SOURCES/qt-fix-possible-heap-corruption-in-qxmlstream.patch
new file mode 100644
index 0000000..9dbc2c3
--- /dev/null
+++ b/SOURCES/qt-fix-possible-heap-corruption-in-qxmlstream.patch
@@ -0,0 +1,13 @@
+diff --git a/src/corelib/xml/qxmlstream_p.h b/src/corelib/xml/qxmlstream_p.h
+index 3539e1b7..f637e2d5 100644
+--- a/src/corelib/xml/qxmlstream_p.h
++++ b/src/corelib/xml/qxmlstream_p.h
+@@ -1242,7 +1242,7 @@ bool QXmlStreamReaderPrivate::parse()
+ state_stack[tos] = 0;
+ return true;
+ } else if (act > 0) {
+- if (++tos == stack_size-1)
++ if (++tos >= stack_size-1)
+ reallocateStack();
+
+ Value &val = sym_stack[tos];
diff --git a/SOURCES/qt-tga-handler-check-for-out-of-range-image-size.patch b/SOURCES/qt-tga-handler-check-for-out-of-range-image-size.patch
new file mode 100644
index 0000000..3562951
--- /dev/null
+++ b/SOURCES/qt-tga-handler-check-for-out-of-range-image-size.patch
@@ -0,0 +1,25 @@
+diff --git a/src/plugins/imageformats/tga/qtgafile.cpp b/src/plugins/imageformats/tga/qtgafile.cpp
+index 205e60b6..0f84864e 100644
+--- a/src/plugins/imageformats/tga/qtgafile.cpp
++++ b/src/plugins/imageformats/tga/qtgafile.cpp
+@@ -166,6 +166,11 @@ QTgaFile::QTgaFile(QIODevice *device)
+ {
+ mErrorMessage = QObject::tr("Image depth not valid");
+ }
++ if (quint64(width()) * quint64(height()) > (8192 * 8192))
++ {
++ mErrorMessage = QObject::tr("Image size exceeds limit");
++ return;
++ }
+ int fileBytes = mDevice->size();
+ if (!mDevice->seek(fileBytes - FooterSize))
+ {
+@@ -237,6 +242,8 @@ QImage QTgaFile::readImage()
+ unsigned char yCorner = desc & 0x20; // 0 = lower, 1 = upper
+
+ QImage im(imageWidth, imageHeight, QImage::Format_ARGB32);
++ if (im.isNull())
++ return QImage();
+ TgaReader *reader = 0;
+ if (bitsPerPixel == 16)
+ reader = new Tga16Reader();
diff --git a/SOURCES/qtsvg-fix-crash-when-parsing-malformed-url-reference.patch b/SOURCES/qtsvg-fix-crash-when-parsing-malformed-url-reference.patch
new file mode 100644
index 0000000..338800d
--- /dev/null
+++ b/SOURCES/qtsvg-fix-crash-when-parsing-malformed-url-reference.patch
@@ -0,0 +1,27 @@
+diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
+index 77af8161..7378e962 100644
+--- a/src/svg/qsvghandler.cpp
++++ b/src/svg/qsvghandler.cpp
+@@ -746,16 +746,17 @@ static QVector<qreal> parsePercentageList(const QChar *&str)
+ static QString idFromUrl(const QString &url)
+ {
+ QString::const_iterator itr = url.constBegin();
+- while ((*itr).isSpace())
++ QString::const_iterator end = url.constEnd();
++ while (itr != end && (*itr).isSpace())
+ ++itr;
+- if ((*itr) == QLatin1Char('('))
++ if (itr != end && (*itr) == QLatin1Char('('))
+ ++itr;
+- while ((*itr).isSpace())
++ while (itr != end && (*itr).isSpace())
+ ++itr;
+- if ((*itr) == QLatin1Char('#'))
++ if (itr != end && (*itr) == QLatin1Char('#'))
+ ++itr;
+ QString id;
+- while ((*itr) != QLatin1Char(')')) {
++ while (itr != end && (*itr) != QLatin1Char(')')) {
+ id += *itr;
+ ++itr;
+ }
diff --git a/SPECS/qt.spec b/SPECS/qt.spec
index 1445784..a2b08a0 100644
--- a/SPECS/qt.spec
+++ b/SPECS/qt.spec
@@ -26,7 +26,7 @@ Summary: Qt toolkit
Name: qt
Epoch: 1
Version: 4.8.7
-Release: 4%{?dist}
+Release: 8%{?dist}
# See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
@@ -201,9 +201,22 @@ Patch114: qt-revert-QTBUG-15319-fix-shortcuts-with-secondary-Xkb.patch
Patch115: qt-everywhere-opensource-src-4.8.5-do-not-close-apps-on-gnome-shutdown-dialog.patch
+
## upstream git
# security patches
+# Bug 1667861 - CVE-2018-15518 qt: qt5-qtbase: Double free in QXmlStreamReader
+Patch200: qt-fix-possible-heap-corruption-in-qxmlstream.patch
+# Bug 1702031 - CVE-2018-19872 qt: malformed PPM image causing division by zero and crash in qppmhandler.cpp
+Patch201: qt-fix-crash-in-qppmhandler-for-certain-malformed-images.patch
+# Bug 1667882 - CVE-2018-19869 qt: qt5-qtsvg: Invalid parsing of malformed url reference resulting in a denial of service
+Patch202: qtsvg-fix-crash-when-parsing-malformed-url-reference.patch
+# Bug 1667863 - CVE-2018-19870 qt: qt5-qtbase: QImage allocation failure in qgifhandler
+Patch203: qt-check-for-qimage-allocation-failure-in-qgifhandler.patch
+# Bug 1667879 - CVE-2018-19871 qt: qt5-qtimageformats: QTgaFile CPU exhaustion
+Patch204: qt-tga-handler-check-for-out-of-range-image-size.patch
+# Bug 1667862 - CVE-2018-19873 qt: qt5-qtbase: QBmpHandler segmentation fault on malformed BMP file
+Patch205: qt-bmp-image-handler-check-for-out-of-range-image-size.patch
# desktop files
Source20: assistant.desktop
@@ -611,6 +624,12 @@ rm -rf src/3rdparty/clucene
# upstream git
# security fixes
+%patch200 -p1 -b .qt-fix-possible-heap-corruption-in-qxmlstream
+%patch201 -p1 -b .qt-fix-crash-in-qppmhandler-for-certain-malformed-images
+%patch202 -p1 -b .fix-crash-when-parsing-malformed-url-reference
+%patch203 -p1 -b .check-for-qimage-allocation-failure-in-qgifhandler.patch
+%patch204 -p1 -b .tga-handler-check-for-out-of-range-image-size.patch
+%patch205 -p1 -b .bmp-image-handler-check-for-out-of-range-image-size.patch
%define platform linux-g++
@@ -1328,10 +1347,27 @@ fi
%changelog
-* Tue Jul 23 2019 Jan Grulich <jgrulich@redhat.com> - 1:4.8.7-4
-- Bump build version for RPM to not consider z-stream build as newer
- Revert fix for font cache check in QFontEngineFT::recalcAdvances()
- Resolves: bz#1684167
+* Fri Dec 06 2019 Jan Grulich <jgrulich@redhat.com> - 1:4.8.7-8
+- Fix QImage allocation failure in qgifhandler
+ Resolves: bz#1667863
+
+- Fix QTgaFile CPU exhaustion
+ Resolves: bz#1667879
+
+- Fix QBmpHandler segmentation fault on malformed BMP file
+ Resolves: bz#1667862
+
+* Tue Oct 29 2019 Jan Grulich <jgrulich@redhat.com> - 1:4.8.7-7
+- Fix crash when parsing malformed url reference in svg
+ Resolves: bz#1667882
+
+* Wed Oct 23 2019 Jan Grulich <jgrulich@redhat.com> - 1:4.8.7-6
+- Fix crash in qppmhandler for certain malformed image files
+ Resolves: bz#1702031
+
+* Wed Oct 23 2019 Jan Grulich <jgrulich@redhat.com> - 1:4.8.7-5
+- Fix possible heap corruption in QXmlStream
+ Resolves: bz#1667861
* Thu Mar 21 2019 Jan Grulich <jgrulich@redhat.com> - 1:4.8.7-3
- Revert fix for font cache check in QFontEngineFT::recalcAdvances()
@@ -1348,8 +1384,6 @@ fi
- Don't close Qt apps in Gnome on shutdown dialog
Resolves: bz#1378865
-* Wed May 24 2017 Jan Grulich <jgrulich@redhat.com> - 1:4.8.5-14
-
* Mon May 02 2016 Jan Grulich <jgrulich@redhat.com> - 1:4.8.5-13
- Prefer adwaita-qt theme over gtk
Resolves: bz#1332094