From f9e1ca249f181a3cf02a78ee5f82d011a6a24553 Mon Sep 17 00:00:00 2001
From: "Alex Xu (Hello71)" <alex_y_xu@yahoo.ca>
Date: Sat, 22 Aug 2020 15:07:10 -0400
Subject: dev-qt/qtgui: sync

---
 .../qtgui/files/qtgui-5.14.2-CVE-2020-17507.patch  | 39 ++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 dev-qt/qtgui/files/qtgui-5.14.2-CVE-2020-17507.patch

(limited to 'dev-qt/qtgui/files')

diff --git a/dev-qt/qtgui/files/qtgui-5.14.2-CVE-2020-17507.patch b/dev-qt/qtgui/files/qtgui-5.14.2-CVE-2020-17507.patch
new file mode 100644
index 0000000..cad9aa4
--- /dev/null
+++ b/dev-qt/qtgui/files/qtgui-5.14.2-CVE-2020-17507.patch
@@ -0,0 +1,39 @@
+From 1616c71921b73b227f56ccb3f2c49a994ec23440 Mon Sep 17 00:00:00 2001
+From: Allan Sandfeld Jensen <allan.jensen@qt.io>
+Date: Thu, 23 Jul 2020 11:48:48 +0200
+Subject: Fix buffer overflow in XBM parser
+
+Avoid parsing over the buffer limit, or interpreting non-hex
+as hex.
+
+This still leaves parsing of lines longer than 300 chars
+unreliable
+
+Change-Id: I1c57a7e530c4380f6f9040b2ec729ccd7dc7a5fb
+Reviewed-by: Robert Loehning <robert.loehning@qt.io>
+Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
+(cherry picked from commit c562c1fc19629fb505acd0f6380604840b634211)
+Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
+---
+ src/gui/image/qxbmhandler.cpp                      |  4 ++-
+ .../gui/image/qimagereader/tst_qimagereader.cpp    | 38 ++++++++++++++++++++++
+ 2 files changed, 41 insertions(+), 1 deletion(-)
+
+diff --git a/src/gui/image/qxbmhandler.cpp b/src/gui/image/qxbmhandler.cpp
+index f06561690c..72ce7f7ecd 100644
+--- a/src/gui/image/qxbmhandler.cpp
++++ b/src/gui/image/qxbmhandler.cpp
+@@ -159,7 +159,9 @@ static bool read_xbm_body(QIODevice *device, int w, int h, QImage *outImage)
+     w = (w+7)/8;                                // byte width
+ 
+     while (y < h) {                                // for all encoded bytes...
+-        if (p) {                                // p = "0x.."
++        if (p && p < (buf + readBytes - 3)) {      // p = "0x.."
++            if (!isxdigit(p[2]) || !isxdigit(p[3]))
++                return false;
+             *b++ = hex2byte(p+2);
+             p += 2;
+             if (++x == w && ++y < h) {
+-- 
+cgit v1.2.1
+
-- 
cgit v1.2.3-54-g00ecf