community/qt5-qtbase: fix CVE-2020-17507

Part of a fix for #11871

2 files changed, 96 insertions, 2 deletions

diff --git a/community/qt5-qtbase/APKBUILD b/community/qt5-qtbase/APKBUILD
index d3f17c84802..1aa11e8897d 100644
--- a/community/qt5-qtbase/APKBUILD
+++ b/community/qt5-qtbase/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Bart Ribbers <bribbers@disroot.org>
 pkgname=qt5-qtbase
 pkgver=5.15.0
-pkgrel=1
+pkgrel=2
 pkgdesc="Qt5 - QtBase components"
 url="https://qt.io/developers/"
 arch="all"
@@ -56,6 +56,7 @@ esac
 source="https://download.qt.io/$_rel/qt/${pkgver%.*}/$pkgver/submodules/qtbase-everywhere-src-$pkgver.tar.xz
 	qt-musl-iconv-no-bom.patch
 	time64.patch
+	fix-buffer-overflow-in-xbm-parser.patch
 	"
 
 _qt5_prefix=/usr/lib/qt5
@@ -66,6 +67,10 @@ case "$CTARGET_ARCH" in
 	*) _opengl="-opengl";;
 esac
 
+# secfixes:
+#   5.15.0-r2:
+#     - CVE-2020-17507
+
 prepare() {
 	default_prepare
 
@@ -211,4 +216,5 @@ x11() {
 
 sha512sums="c584d69e49f4959d9b8541f820f5ff1e6d1599697ad16976b47cbaaa902fc83e1ca4ae57d56d13574e42e5f602d4420245ad7fcfc13e224e10d4bbad6a537d1a  qtbase-everywhere-src-5.15.0.tar.xz
 7d68421a14f0259535c977d8a521c98918193c107b76ac664571b12f5b0d7588a0d0e1297af412a26753a393b21f3f44c3274fa8ab5bc87f03705a3a03acb444  qt-musl-iconv-no-bom.patch
-436f0bb7a89a88aa62c7b0398c4e91c325e78542e96f747c903f7e96dbf9d9b693d9688c722f2a74e287fb9ab31e861bd5ed8deb172ed28f56a1b8757663771c  time64.patch"
+436f0bb7a89a88aa62c7b0398c4e91c325e78542e96f747c903f7e96dbf9d9b693d9688c722f2a74e287fb9ab31e861bd5ed8deb172ed28f56a1b8757663771c  time64.patch
+61f9d1ee6395a9617b940121a4112bbaa76c2300c66cbfc89118b2e704e3d0e8216b86a29dc0adc95ac87461d2299d4e5767ec43bfaf5ae67b39612ede0a7d06  fix-buffer-overflow-in-xbm-parser.patch"
diff --git a/community/qt5-qtbase/fix-buffer-overflow-in-xbm-parser.patch b/community/qt5-qtbase/fix-buffer-overflow-in-xbm-parser.patch
new file mode 100644
index 00000000000..16a0cef1278
--- /dev/null
+++ b/community/qt5-qtbase/fix-buffer-overflow-in-xbm-parser.patch
@@ -0,0 +1,88 @@
+From 1616c71921b73b227f56ccb3f2c49a994ec23440 Mon Sep 17 00:00:00 2001
+From: Allan Sandfeld Jensen <allan.jensen@qt.io>
+Date: Thu, 23 Jul 2020 11:48:48 +0200
+Subject: [PATCH] Fix buffer overflow in XBM parser
+
+Avoid parsing over the buffer limit, or interpreting non-hex
+as hex.
+
+This still leaves parsing of lines longer than 300 chars
+unreliable
+
+Change-Id: I1c57a7e530c4380f6f9040b2ec729ccd7dc7a5fb
+Reviewed-by: Robert Loehning <robert.loehning@qt.io>
+Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
+(cherry picked from commit c562c1fc19629fb505acd0f6380604840b634211)
+Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
+---
+
+diff --git a/src/gui/image/qxbmhandler.cpp b/src/gui/image/qxbmhandler.cpp
+index f065616..72ce7f7 100644
+--- a/src/gui/image/qxbmhandler.cpp
++++ b/src/gui/image/qxbmhandler.cpp
+@@ -159,7 +159,9 @@
+     w = (w+7)/8;                                // byte width
+ 
+     while (y < h) {                                // for all encoded bytes...
+-        if (p) {                                // p = "0x.."
++        if (p && p < (buf + readBytes - 3)) {      // p = "0x.."
++            if (!isxdigit(p[2]) || !isxdigit(p[3]))
++                return false;
+             *b++ = hex2byte(p+2);
+             p += 2;
+             if (++x == w && ++y < h) {
+diff --git a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
+index cf8a0d1..984a7c7 100644
+--- a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
++++ b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
+@@ -175,6 +175,8 @@
+ 
+     void xpmBufferOverflow();
+ 
++    void xbmBufferHandling();
++
+ private:
+     QString prefix;
+     QTemporaryDir m_temporaryDir;
+@@ -2055,5 +2057,41 @@
+     QImageReader(":/images/oss-fuzz-23988.xpm").read();
+ }
+ 
++void tst_QImageReader::xbmBufferHandling()
++{
++    uint8_t original_buffer[256];
++    for (int i = 0; i < 256; ++i)
++        original_buffer[i] = i;
++
++    QImage image(original_buffer, 256, 8, QImage::Format_MonoLSB);
++    image.setColorTable({0xff000000, 0xffffffff});
++
++    QByteArray buffer;
++    {
++        QBuffer buf(&buffer);
++        QImageWriter writer(&buf, "xbm");
++        writer.write(image);
++    }
++
++    QCOMPARE(QImage::fromData(buffer, "xbm"), image);
++
++    auto i = buffer.indexOf(',');
++    buffer.insert(i + 1, "                                                                                ");
++    QCOMPARE(QImage::fromData(buffer, "xbm"), image);
++    buffer.insert(i + 1, "                                                                                ");
++    QCOMPARE(QImage::fromData(buffer, "xbm"), image);
++    buffer.insert(i + 1, "                                                                              ");
++#if 0   // Lines longer than 300 chars not supported currently
++    QCOMPARE(QImage::fromData(buffer, "xbm"), image);
++#endif
++
++    i = buffer.lastIndexOf("\n ");
++    buffer.truncate(i + 1);
++    buffer.append(QByteArray(297, ' '));
++    buffer.append("0x");
++    // Only check we get no buffer overflow
++    QImage::fromData(buffer, "xbm");
++}
++
+ QTEST_MAIN(tst_QImageReader)
+ #include "tst_qimagereader.moc"