Hello community, here is the log from the commit of package kimageformats for openSUSE:Factory checked in at 2020-06-16 13:42:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kimageformats (Old) and /work/SRC/openSUSE:Factory/.kimageformats.new.3606 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kimageformats" Tue Jun 16 13:42:58 2020 rev:81 rq:814366 version:5.71.0 Changes: -------- --- /work/SRC/openSUSE:Factory/kimageformats/kimageformats.changes 2020-05-11 13:30:14.063719039 +0200 +++ /work/SRC/openSUSE:Factory/.kimageformats.new.3606/kimageformats.changes 2020-06-16 13:43:19.129219313 +0200 @@ -1,0 +2,10 @@ +Sun Jun 7 08:06:43 UTC 2020 - Christophe Giboudeaux <christo...@krop.fr> + +- Update to 5.71.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/kde-frameworks-5.71.0 +- Changes since 5.70.0: + * Add some sanity and bounds checking + +------------------------------------------------------------------- Old: ---- kimageformats-5.70.0.tar.xz kimageformats-5.70.0.tar.xz.sig New: ---- kimageformats-5.71.0.tar.xz kimageformats-5.71.0.tar.xz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kimageformats.spec ++++++ --- /var/tmp/diff_new_pack.8LjCUp/_old 2020-06-16 13:43:19.757221602 +0200 +++ /var/tmp/diff_new_pack.8LjCUp/_new 2020-06-16 13:43:19.761221617 +0200 @@ -16,7 +16,7 @@ # -%define _tar_path 5.70 +%define _tar_path 5.71 # Full KF5 version (e.g. 5.33.0) %{!?_kf5_version: %global _kf5_version %{version}} # Last major and minor KF5 version (e.g. 5.33) @@ -24,7 +24,7 @@ # Only needed for the package signature condition %bcond_without lang Name: kimageformats -Version: 5.70.0 +Version: 5.71.0 Release: 0 Summary: Image format plugins for Qt License: LGPL-2.1-or-later ++++++ kimageformats-5.70.0.tar.xz -> kimageformats-5.71.0.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kimageformats-5.70.0/.arcconfig new/kimageformats-5.71.0/.arcconfig --- old/kimageformats-5.70.0/.arcconfig 2020-05-02 23:58:20.000000000 +0200 +++ new/kimageformats-5.71.0/.arcconfig 1970-01-01 01:00:00.000000000 +0100 @@ -1,3 +0,0 @@ -{ - "phabricator.uri" : "https://phabricator.kde.org/"; -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kimageformats-5.70.0/CMakeLists.txt new/kimageformats-5.71.0/CMakeLists.txt --- old/kimageformats-5.70.0/CMakeLists.txt 2020-05-02 23:58:20.000000000 +0200 +++ new/kimageformats-5.71.0/CMakeLists.txt 2020-06-06 21:34:48.000000000 +0200 @@ -5,7 +5,7 @@ set (CMAKE_CXX_STANDARD 14) include(FeatureSummary) -find_package(ECM 5.70.0 NO_MODULE) +find_package(ECM 5.71.0 NO_MODULE) set_package_properties(ECM PROPERTIES TYPE REQUIRED DESCRIPTION "Extra CMake Modules." URL "https://commits.kde.org/extra-cmake-modules";) feature_summary(WHAT REQUIRED_PACKAGES_NOT_FOUND FATAL_ON_MISSING_REQUIRED_PACKAGES) @@ -51,7 +51,7 @@ # 050d00 (5.13) triggers a BIC in qimageiohandler.h, in Qt 5.13, so do not enable that until we can require 5.14 # https://codereview.qt-project.org/c/qt/qtbase/+/279215 add_definitions(-DQT_DISABLE_DEPRECATED_BEFORE=0x050c00) -add_definitions(-DKF_DISABLE_DEPRECATED_BEFORE_AND_AT=0x054400) +add_definitions(-DKF_DISABLE_DEPRECATED_BEFORE_AND_AT=0x054700) add_subdirectory(src) if (BUILD_TESTING) add_subdirectory(autotests) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kimageformats-5.70.0/src/imageformats/exr.cpp new/kimageformats-5.71.0/src/imageformats/exr.cpp --- old/kimageformats-5.70.0/src/imageformats/exr.cpp 2020-05-02 23:58:20.000000000 +0200 +++ new/kimageformats-5.71.0/src/imageformats/exr.cpp 2020-06-06 21:34:48.000000000 +0200 @@ -172,17 +172,18 @@ width = dw.max.x - dw.min.x + 1; height = dw.max.y - dw.min.y + 1; + QImage image(width, height, QImage::Format_RGB32); + if (image.isNull()) { + qWarning() << "Failed to allocate image, invalid size?" << QSize(width, height); + return false; + } + Imf::Array2D<Imf::Rgba> pixels; pixels.resizeErase(height, width); file.setFrameBuffer(&pixels[0][0] - dw.min.x - dw.min.y * width, 1, width); file.readPixels(dw.min.y, dw.max.y); - QImage image(width, height, QImage::Format_RGB32); - if (image.isNull()) { - return false; - } - // somehow copy pixels into image for (int y = 0; y < height; y++) { for (int x = 0; x < width; x++) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kimageformats-5.70.0/src/imageformats/pcx.cpp new/kimageformats-5.71.0/src/imageformats/pcx.cpp --- old/kimageformats-5.70.0/src/imageformats/pcx.cpp 2020-05-02 23:58:20.000000000 +0200 +++ new/kimageformats-5.71.0/src/imageformats/pcx.cpp 2020-06-06 21:34:48.000000000 +0200 @@ -253,8 +253,10 @@ img = QImage(header.width(), header.height(), QImage::Format_Mono); img.setColorCount(2); - if (img.isNull()) + if (img.isNull()) { + qWarning() << "Failed to allocate image, invalid dimensions?" << QSize(header.width(), header.height()); return; + } for (int y = 0; y < header.height(); ++y) { if (s.atEnd()) { @@ -282,6 +284,10 @@ img = QImage(header.width(), header.height(), QImage::Format_Indexed8); img.setColorCount(16); + if (img.isNull()) { + qWarning() << "Failed to allocate image, invalid dimensions?" << QSize(header.width(), header.height()); + return; + } for (int y = 0; y < header.height(); ++y) { if (s.atEnd()) { @@ -301,6 +307,9 @@ } uchar *p = img.scanLine(y); + if (!p) { + qWarning() << "Failed to get scanline for" << y << "might be out of bounds"; + } for (int x = 0; x < header.width(); ++x) { p[ x ] = pixbuf[ x ]; } @@ -319,6 +328,11 @@ img = QImage(header.width(), header.height(), QImage::Format_Indexed8); img.setColorCount(256); + if (img.isNull()) { + qWarning() << "Failed to allocate image, invalid dimensions?" << QSize(header.width(), header.height()); + return; + } + for (int y = 0; y < header.height(); ++y) { if (s.atEnd()) { img = QImage(); @@ -360,6 +374,11 @@ img = QImage(header.width(), header.height(), QImage::Format_RGB32); + if (img.isNull()) { + qWarning() << "Failed to allocate image, invalid dimensions?" << QSize(header.width(), header.height()); + return; + } + for (int y = 0; y < header.height(); ++y) { if (s.atEnd()) { img = QImage(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kimageformats-5.70.0/src/imageformats/pic.cpp new/kimageformats-5.71.0/src/imageformats/pic.cpp --- old/kimageformats-5.70.0/src/imageformats/pic.cpp 2020-05-02 23:58:20.000000000 +0200 +++ new/kimageformats-5.71.0/src/imageformats/pic.cpp 2020-06-06 21:34:48.000000000 +0200 @@ -253,6 +253,11 @@ } QImage img(m_header.width, m_header.height, fmt); + if (img.isNull()) { + qDebug() << "Failed to allocate image, invalid dimensions?" << QSize(m_header.width, m_header.height) << fmt; + return false; + } + img.fill(qRgb(0,0,0)); for (int y = 0; y < m_header.height; y++) { @@ -362,6 +367,7 @@ m_state = ReadHeader; } } + return m_state != Error; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kimageformats-5.70.0/src/imageformats/psd.cpp new/kimageformats-5.71.0/src/imageformats/psd.cpp --- old/kimageformats-5.70.0/src/imageformats/psd.cpp 2020-05-02 23:58:20.000000000 +0200 +++ new/kimageformats-5.71.0/src/imageformats/psd.cpp 2020-06-06 21:34:48.000000000 +0200 @@ -171,10 +171,20 @@ channel_num = 4; } img = QImage(header.width, header.height, fmt); + if (img.isNull()) { + qWarning() << "Failed to allocate image, invalid dimensions?" << QSize(header.width, header.height); + return false; + } img.fill(qRgb(0,0,0)); const quint32 pixel_count = header.height * header.width; + // Verify this, as this is used to write into the memory of the QImage + if (pixel_count > img.sizeInBytes() / sizeof(QRgb)) { + qWarning() << "Invalid pixel count!" << pixel_count << "bytes available:" << img.sizeInBytes(); + return false; + } + QRgb *image_data = reinterpret_cast<QRgb*>(img.bits()); if (!image_data) { @@ -276,6 +286,11 @@ char head[4]; qint64 readBytes = device->read(head, sizeof(head)); + if (readBytes < 0) { + qWarning() << "Read failed" << device->errorString(); + return false; + } + if (readBytes != sizeof(head)) { if (device->isSequential()) { while (readBytes > 0) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kimageformats-5.70.0/src/imageformats/rgb.cpp new/kimageformats-5.71.0/src/imageformats/rgb.cpp --- old/kimageformats-5.70.0/src/imageformats/rgb.cpp 2020-05-02 23:58:20.000000000 +0200 +++ new/kimageformats-5.71.0/src/imageformats/rgb.cpp 2020-06-06 21:34:48.000000000 +0200 @@ -313,6 +313,10 @@ } img = QImage(_xsize, _ysize, QImage::Format_RGB32); + if (img.isNull()) { + qWarning() << "Failed to allocate image, invalid dimensions?" << QSize(_xsize, _ysize); + return false; + } if (_zsize == 0 ) return false; @@ -470,7 +474,14 @@ uint len; for (y = 0; y < _ysize; y++) { - c = reinterpret_cast<const QRgb *>(img.scanLine(_ysize - y - 1)); + const int yPos = _ysize - y - 1; // scanline doesn't do any sanity checking + if (yPos >= img.height()) { + qWarning() << "Failed to get scanline for" << yPos; + return false; + } + + c = reinterpret_cast<const QRgb *>(img.scanLine(yPos)); + for (x = 0; x < _xsize; x++) { buf[x] = intensity(qRed(*c++)); } @@ -484,7 +495,13 @@ if (_zsize != 2) { for (y = 0; y < _ysize; y++) { - c = reinterpret_cast<const QRgb *>(img.scanLine(_ysize - y - 1)); + const int yPos = _ysize - y - 1; + if (yPos >= img.height()) { + qWarning() << "Failed to get scanline for" << yPos; + return false; + } + + c = reinterpret_cast<const QRgb *>(img.scanLine(yPos)); for (x = 0; x < _xsize; x++) { buf[x] = intensity(qGreen(*c++)); } @@ -493,7 +510,13 @@ } for (y = 0; y < _ysize; y++) { - c = reinterpret_cast<const QRgb *>(img.scanLine(_ysize - y - 1)); + const int yPos = _ysize - y - 1; + if (yPos >= img.height()) { + qWarning() << "Failed to get scanline for" << yPos; + return false; + } + + c = reinterpret_cast<const QRgb *>(img.scanLine(yPos)); for (x = 0; x < _xsize; x++) { buf[x] = intensity(qBlue(*c++)); } @@ -507,7 +530,13 @@ } for (y = 0; y < _ysize; y++) { - c = reinterpret_cast<const QRgb *>(img.scanLine(_ysize - y - 1)); + const int yPos = _ysize - y - 1; + if (yPos >= img.height()) { + qWarning() << "Failed to get scanline for" << yPos; + return false; + } + + c = reinterpret_cast<const QRgb *>(img.scanLine(yPos)); for (x = 0; x < _xsize; x++) { buf[x] = intensity(qAlpha(*c++)); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kimageformats-5.70.0/src/imageformats/tga.cpp new/kimageformats-5.71.0/src/imageformats/tga.cpp --- old/kimageformats-5.70.0/src/imageformats/tga.cpp 2020-05-02 23:58:20.000000000 +0200 +++ new/kimageformats-5.71.0/src/imageformats/tga.cpp 2020-06-06 21:34:48.000000000 +0200 @@ -178,6 +178,10 @@ { // Create image. img = QImage(tga.width, tga.height, QImage::Format_RGB32); + if (img.isNull()) { + qWarning() << "Failed to allocate image, invalid dimensions?" << QSize(tga.width, tga.height); + return false; + } TgaHeaderInfo info(tga); @@ -186,6 +190,10 @@ // However alpha exists only in the 32 bit format. if ((tga.pixel_size == 32) && (tga.flags & 0xf)) { img = QImage(tga.width, tga.height, QImage::Format_ARGB32); + if (img.isNull()) { + qWarning() << "Failed to allocate image, invalid dimensions?" << QSize(tga.width, tga.height); + return false; + } if (numAlphaBits > 8) { return false; @@ -229,9 +237,10 @@ if (info.rle) { // Decode image. char *dst = (char *)image; + char *imgEnd = dst + size; qint64 num = size; - while (num > 0) { + while (num > 0 && valid) { if (s.atEnd()) { valid = false; break; @@ -257,6 +266,12 @@ memset(&pixel[dataRead], 0, pixel_size - dataRead); } do { + if (dst + pixel_size > imgEnd) { + qWarning() << "Trying to write out of bounds!" << ptrdiff_t(dst) << (ptrdiff_t(imgEnd) - ptrdiff_t(pixel_size)); + valid = false; + break; + } + memcpy(dst, pixel, pixel_size); dst += pixel_size; } while (--count); @@ -268,8 +283,17 @@ free(image); return false; } + + if ((uint)dataRead < count) { - memset(&dst[dataRead], 0, count - dataRead); + const size_t toCopy = count - dataRead; + if (&dst[dataRead] + toCopy > imgEnd) { + qWarning() << "Trying to write out of bounds!" << ptrdiff_t(image) << ptrdiff_t(&dst[dataRead]);; + valid = false; + break; + } + + memset(&dst[dataRead], 0, toCopy); } dst += count; }
