From 169d7fbf765350facec5311e363d3b71bda6dd8e Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jun 08 2021 18:05:16 +0000 Subject: import qt5-qtimageformats-5.9.7-2.el7_9 --- diff --git a/SOURCES/qtimageformats-CVE-2018-25011.patch b/SOURCES/qtimageformats-CVE-2018-25011.patch new file mode 100644 index 0000000..3a7a366 --- /dev/null +++ b/SOURCES/qtimageformats-CVE-2018-25011.patch @@ -0,0 +1,32 @@ +diff --git a/src/3rdparty/libwebp/src/mux/muxread.c b/src/3rdparty/libwebp/src/mux/muxread.c +index 410acd9..c7036d2 100644 +--- a/src/3rdparty/libwebp/src/mux/muxread.c ++++ b/src/3rdparty/libwebp/src/mux/muxread.c +@@ -137,6 +137,7 @@ static int MuxImageParse(const WebPChunk* const chunk, int copy_data, + wpi->is_partial_ = 1; // Waiting for a VP8 chunk. + break; + case WEBP_CHUNK_IMAGE: ++ if (wpi->img_ != NULL) goto Fail; // Only 1 image chunk allowed. + if (ChunkSetNth(&subchunk, &wpi->img_, 1) != WEBP_MUX_OK) goto Fail; + if (!MuxImageFinalize(wpi)) goto Fail; + wpi->is_partial_ = 0; // wpi is completely filled. +diff --git a/src/3rdparty/libwebp/src/utils/quant_levels_dec_utils.c b/src/3rdparty/libwebp/src/utils/quant_levels_dec_utils.c +index d4d23d3..add8af6 100644 +--- a/src/3rdparty/libwebp/src/utils/quant_levels_dec_utils.c ++++ b/src/3rdparty/libwebp/src/utils/quant_levels_dec_utils.c +@@ -260,9 +260,14 @@ static void CleanupParams(SmoothParams* const p) { + + int WebPDequantizeLevels(uint8_t* const data, int width, int height, int stride, + int strength) { +- const int radius = 4 * strength / 100; ++ int radius = 4 * strength / 100; + if (strength < 0 || strength > 100) return 0; + if (data == NULL || width <= 0 || height <= 0) return 0; // bad params ++ ++ // limit the filter size to not exceed the image dimensions ++ if (2 * radius + 1 > width) radius = (width - 1) >> 1; ++ if (2 * radius + 1 > height) radius = (height - 1) >> 1; ++ + if (radius > 0) { + SmoothParams p; + memset(&p, 0, sizeof(p)); diff --git a/SOURCES/qtimageformats-CVE-2018-25014.patch b/SOURCES/qtimageformats-CVE-2018-25014.patch new file mode 100644 index 0000000..db4a583 --- /dev/null +++ b/SOURCES/qtimageformats-CVE-2018-25014.patch @@ -0,0 +1,17 @@ +diff --git a/src/3rdparty/libwebp/src/dec/idec_dec.c b/src/3rdparty/libwebp/src/dec/idec_dec.c +index 78fb2e7..cf7e182 100644 +--- a/src/3rdparty/libwebp/src/dec/idec_dec.c ++++ b/src/3rdparty/libwebp/src/dec/idec_dec.c +@@ -473,6 +473,12 @@ static VP8StatusCode DecodeRemaining(WebPIDecoder* const idec) { + MemDataSize(&idec->mem_) > MAX_MB_SIZE) { + return IDecError(idec, VP8_STATUS_BITSTREAM_ERROR); + } ++ // Synchronize the threads. ++ if (dec->mt_method_ > 0) { ++ if (!WebPGetWorkerInterface()->Sync(&dec->worker_)) { ++ return IDecError(idec, VP8_STATUS_BITSTREAM_ERROR); ++ } ++ } + RestoreContext(&context, dec, token_br); + return VP8_STATUS_SUSPENDED; + } diff --git a/SOURCES/qtimageformats-CVE-2020-36328.patch b/SOURCES/qtimageformats-CVE-2020-36328.patch new file mode 100644 index 0000000..e66af93 --- /dev/null +++ b/SOURCES/qtimageformats-CVE-2020-36328.patch @@ -0,0 +1,14 @@ +diff --git a/src/3rdparty/libwebp/src/dec/buffer_dec.c b/src/3rdparty/libwebp/src/dec/buffer_dec.c +index c685fd5..ae5ba5d 100644 +--- a/src/3rdparty/libwebp/src/dec/buffer_dec.c ++++ b/src/3rdparty/libwebp/src/dec/buffer_dec.c +@@ -74,7 +74,8 @@ static VP8StatusCode CheckDecBuffer(const WebPDecBuffer* const buffer) { + } else { // RGB checks + const WebPRGBABuffer* const buf = &buffer->u.RGBA; + const int stride = abs(buf->stride); +- const uint64_t size = MIN_BUFFER_SIZE(width, height, stride); ++ const uint64_t size = ++ MIN_BUFFER_SIZE(width * kModeBpp[mode], height, stride); + ok &= (size <= buf->size); + ok &= (stride >= width * kModeBpp[mode]); + ok &= (buf->rgba != NULL); diff --git a/SOURCES/qtimageformats-CVE-2020-36329.patch b/SOURCES/qtimageformats-CVE-2020-36329.patch new file mode 100644 index 0000000..9d40270 --- /dev/null +++ b/SOURCES/qtimageformats-CVE-2020-36329.patch @@ -0,0 +1,17 @@ +diff --git a/src/3rdparty/libwebp/src/dec/idec_dec.c b/src/3rdparty/libwebp/src/dec/idec_dec.c +index 78fb2e7..bfb721d 100644 +--- a/src/3rdparty/libwebp/src/dec/idec_dec.c ++++ b/src/3rdparty/libwebp/src/dec/idec_dec.c +@@ -283,10 +283,8 @@ static void RestoreContext(const MBContext* context, VP8Decoder* const dec, + + static VP8StatusCode IDecError(WebPIDecoder* const idec, VP8StatusCode error) { + if (idec->state_ == STATE_VP8_DATA) { +- VP8Io* const io = &idec->io_; +- if (io->teardown != NULL) { +- io->teardown(io); +- } ++ // Synchronize the thread, clean-up and check for errors. ++ VP8ExitCritical((VP8Decoder*)idec->dec_, &idec->io_); + } + idec->state_ = STATE_ERROR; + return error; diff --git a/SPECS/qt5-qtimageformats.spec b/SPECS/qt5-qtimageformats.spec index e97e7e3..86dca7a 100644 --- a/SPECS/qt5-qtimageformats.spec +++ b/SPECS/qt5-qtimageformats.spec @@ -11,7 +11,7 @@ Summary: Qt5 - QtImageFormats component Name: qt5-%{qt_module} Version: 5.9.7 -Release: 1%{?dist} +Release: 2%{?dist} # See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for details License: LGPLv2 with exceptions or GPLv3 with exceptions @@ -20,6 +20,12 @@ Source0: http://download.qt.io/official_releases/qt/5.9/%{version}/submodules/%{ Patch1: qtimageformats-disable-neon.patch +# Security fixes +Patch100: qtimageformats-CVE-2018-25011.patch +Patch101: qtimageformats-CVE-2018-25014.patch +Patch102: qtimageformats-CVE-2020-36328.patch +Patch103: qtimageformats-CVE-2020-36329.patch + BuildRequires: qt5-qtbase-devel >= %{version} BuildRequires: libmng-devel BuildRequires: libtiff-devel @@ -64,6 +70,11 @@ BuildArch: noarch %patch1 -p1 -b .qtimageformats-disable-neon +%patch100 -p1 -b .qtimageformats-CVE-2018-25011 +%patch101 -p1 -b .qtimageformats-CVE-2018-25014 +%patch102 -p1 -b .qtimageformats-CVE-2020-36328 +%patch103 -p1 -b .qtimageformats-CVE-2020-36329 + %if 0%{?webp} rm -rv src/3rdparty %endif @@ -106,6 +117,13 @@ make install_docs INSTALL_ROOT=%{buildroot} %changelog +* Tue May 25 2021 Jan Grulich - 5.9.7-2 +- libwebp security fixes: + Resolves: bz#1961742 + Resolves: bz#1961743 + Resolves: bz#1961744 + Resolves: bz#1961745 + * Thu Feb 07 2019 Jan Grulich - 5.9.7-1 - Update to 5.9.7 Resolves: bz#1564007