Hello community, here is the log from the commit of package kimageformats for openSUSE:Factory checked in at 2019-02-04 21:10:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kimageformats (Old) and /work/SRC/openSUSE:Factory/.kimageformats.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kimageformats" Mon Feb 4 21:10:43 2019 rev:63 rq:670262 version:5.54.0 Changes: -------- --- /work/SRC/openSUSE:Factory/kimageformats/kimageformats.changes 2019-01-21 10:20:39.470056789 +0100 +++ /work/SRC/openSUSE:Factory/.kimageformats.new.28833/kimageformats.changes 2019-02-04 21:10:44.239883591 +0100 @@ -1,0 +2,17 @@ +Thu Jan 31 07:48:50 UTC 2019 - Fabian Vogt <[email protected]> + +- Add ghostscript requirement to the -eps subpackage + +------------------------------------------------------------------- +Mon Jan 28 13:30:26 UTC 2019 - Fabian Vogt <[email protected]> + +- Add patch to fix buffer overflows (boo#1123281): + * 0001-Fix-various-OOB-reads-and-writes-in-kimg_tga-and-kim.patch + +------------------------------------------------------------------- +Wed Jan 23 17:47:54 UTC 2019 - Fabian Vogt <[email protected]> + +- Split out the eps plugin into an independant subpackage (bsc#1117336) +- Remove unnecessary ldconfig calls + +------------------------------------------------------------------- New: ---- 0001-Fix-various-OOB-reads-and-writes-in-kimg_tga-and-kim.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kimageformats.spec ++++++ --- /var/tmp/diff_new_pack.0j4p9g/_old 2019-02-04 21:10:44.691883429 +0100 +++ /var/tmp/diff_new_pack.0j4p9g/_new 2019-02-04 21:10:44.695883428 +0100 @@ -30,6 +30,8 @@ URL: https://www.kde.org Source: http://download.kde.org/stable/frameworks/%{_tar_path}/%{name}-%{version}.tar.xz Source1: baselibs.conf +# PATCH-FIX-UPSTREAM +Patch001: 0001-Fix-various-OOB-reads-and-writes-in-kimg_tga-and-kim.patch BuildRequires: cmake >= 3.0 BuildRequires: extra-cmake-modules >= %{_kf5_bugfix_version} BuildRequires: fdupes @@ -43,6 +45,7 @@ %requires_ge libQt5Gui5 %requires_ge libQt5PrintSupport5 Recommends: libqt5-qtimageformats >= 5.6.0 +Suggests: %{name}-eps %description This framework provides additional image format plugins for QtGui. As @@ -50,8 +53,19 @@ may be a runtime requirement for Qt-based software to support certain image formats. +%package eps +Summary: EPS image format plugin for Qt +Group: System/GUI/KDE +Conflicts: %{name} < %{version}-%{release} +Requires: ghostscript + +%description eps +This plugin provides support for the EPS document format for QtGui. As +it invokes ghostscript for conversion, it should only be used in trusted +environments. + %prep -%setup -q +%autosetup -p1 %build %cmake_kf5 -d build @@ -61,12 +75,38 @@ %kf5_makeinstall -C build %fdupes %{buildroot} -%post -n kimageformats -p /sbin/ldconfig -%postun -n kimageformats -p /sbin/ldconfig - %files %license COPYING* -%{_kf5_plugindir}/ -%{_kf5_servicesdir}/ +%dir %{_kf5_plugindir}/imageformats +%{_kf5_plugindir}/imageformats/kimg_exr.so +%{_kf5_plugindir}/imageformats/kimg_kra.so +%{_kf5_plugindir}/imageformats/kimg_ora.so +%{_kf5_plugindir}/imageformats/kimg_pcx.so +%{_kf5_plugindir}/imageformats/kimg_pic.so +%{_kf5_plugindir}/imageformats/kimg_psd.so +%{_kf5_plugindir}/imageformats/kimg_ras.so +%{_kf5_plugindir}/imageformats/kimg_rgb.so +%{_kf5_plugindir}/imageformats/kimg_tga.so +%{_kf5_plugindir}/imageformats/kimg_xcf.so +%dir %{_kf5_servicesdir}/qimageioplugins +%{_kf5_servicesdir}/qimageioplugins/dds.desktop +%{_kf5_servicesdir}/qimageioplugins/exr.desktop +%{_kf5_servicesdir}/qimageioplugins/jp2.desktop +%{_kf5_servicesdir}/qimageioplugins/kra.desktop +%{_kf5_servicesdir}/qimageioplugins/ora.desktop +%{_kf5_servicesdir}/qimageioplugins/pcx.desktop +%{_kf5_servicesdir}/qimageioplugins/pic.desktop +%{_kf5_servicesdir}/qimageioplugins/psd.desktop +%{_kf5_servicesdir}/qimageioplugins/ras.desktop +%{_kf5_servicesdir}/qimageioplugins/rgb.desktop +%{_kf5_servicesdir}/qimageioplugins/tga.desktop +%{_kf5_servicesdir}/qimageioplugins/xcf.desktop + +%files eps +%license COPYING* +%dir %{_kf5_plugindir}/imageformats +%dir %{_kf5_servicesdir}/qimageioplugins +%{_kf5_plugindir}/imageformats/kimg_eps.so +%{_kf5_servicesdir}/qimageioplugins/eps.desktop %changelog ++++++ 0001-Fix-various-OOB-reads-and-writes-in-kimg_tga-and-kim.patch ++++++ >From 51d710adda146bc19427c9ea3443c9e0919e6647 Mon Sep 17 00:00:00 2001 From: Fabian Vogt <[email protected]> Date: Sun, 20 Jan 2019 12:51:02 +0100 Subject: [PATCH] Fix various OOB reads and writes in kimg_tga and kimg_xcf Summary: I had a look at some image loading code in kimageformats and found memory corruption bugs (there might be more): - oobwrite4b.xcf: OOB write in kimg_xcf: By overflowing the "size = 3 * ncolors + 4;" calculation, it's possible to make size == 3 or size == 0, which then allows 1 or 4 bytes to be overwritten: https://cgit.kde.org/kimageformats.git/tree/src/imageformats/xcf.cpp?id=3f2552f21b1cdef063c2a93cc95d42a8cf907fcf#n484 The values aren't arbitrary, so AFAICT DoS only. Fix is to move the sanity check for size below the assignment. - oobread.tga: OOB read in kimg_tga: By overflowing the "size = tga.width * tga.height * pixel_size" calculation, it's possible to cause OOB reads later on as the image data array is too small: https://cgit.kde.org/kimageformats.git/tree/src/imageformats/tga.cpp?id=3f2552f21b1cdef063c2a93cc95d42a8cf907fcf#n192 Fix is to use a 64bit integer instead. - oobwrite4b.tga/oobwrite507.tga: OOB write in kimg_tga If RLE is enabled, any size checks are skipped, so it's possible to write either 128 repetitions of an arbitrary four byte value (oobwrite4b.tga) or or 507 arbitrary bytes (oobwrite507.tga) out of bounds. https://cgit.kde.org/kimageformats.git/tree/src/imageformats/tga.cpp?id=3f2552f21b1cdef063c2a93cc95d42a8cf907fcf#n209 Fix is to check for "num" being negative before reading into the buffer. Also, bail out early if there is no more data available (reading a 65kx65k px image from 14B data takes ages otherwise) Test Plan: Stopped crashing and valgrind don't complain anymore. TGA preview still works for valid files. Reviewers: aacid Reviewed By: aacid Subscribers: lbeltrame, kde-frameworks-devel Tags: #frameworks Differential Revision: https://phabricator.kde.org/D18574 --- src/imageformats/tga.cpp | 27 +++++++++++++++++++++++---- src/imageformats/xcf.cpp | 3 ++- 2 files changed, 25 insertions(+), 5 deletions(-) diff --git a/src/imageformats/tga.cpp b/src/imageformats/tga.cpp index 3a22b45..9217bed 100644 --- a/src/imageformats/tga.cpp +++ b/src/imageformats/tga.cpp @@ -189,7 +189,7 @@ static bool LoadTGA(QDataStream &s, const TgaHeader &tga, QImage &img) } uint pixel_size = (tga.pixel_size / 8); - uint size = tga.width * tga.height * pixel_size; + qint64 size = qint64(tga.width) * qint64(tga.height) * pixel_size; if (size < 1) { // qDebug() << "This TGA file is broken with size " << size; @@ -204,20 +204,34 @@ static bool LoadTGA(QDataStream &s, const TgaHeader &tga, QImage &img) } // Allocate image. - uchar *const image = new uchar[size]; + uchar *const image = reinterpret_cast<uchar*>(malloc(size)); + if (!image) { + return false; + } + + bool valid = true; if (info.rle) { // Decode image. char *dst = (char *)image; - int num = size; + qint64 num = size; while (num > 0) { + if (s.atEnd()) { + valid = false; + break; + } + // Get packet header. uchar c; s >> c; uint count = (c & 0x7f) + 1; num -= count * pixel_size; + if (num < 0) { + valid = false; + break; + } if (c & 0x80) { // RLE pixels. @@ -240,6 +254,11 @@ static bool LoadTGA(QDataStream &s, const TgaHeader &tga, QImage &img) s.readRawData((char *)image, size); } + if (!valid) { + free(image); + return false; + } + // Convert image to internal format. int y_start, y_step, y_end; if (tga.flags & TGA_ORIGIN_UPPER) { @@ -294,7 +313,7 @@ static bool LoadTGA(QDataStream &s, const TgaHeader &tga, QImage &img) } // Free image. - delete [] image; + free(image); return true; } diff --git a/src/imageformats/xcf.cpp b/src/imageformats/xcf.cpp index f837112..3afb599 100644 --- a/src/imageformats/xcf.cpp +++ b/src/imageformats/xcf.cpp @@ -495,11 +495,12 @@ bool XCFImageFormat::loadProperty(QDataStream &xcf_io, PropType &type, QByteArra quint32 ncolors; xcf_io >> ncolors; + size = 3 * ncolors + 4; + if (size > 65535 || size < 4) { return false; } - size = 3 * ncolors + 4; data = new char[size]; // since we already read "ncolors" from the stream, we put that data back -- 2.20.1
