- Fix an integer overflow vulnerability in Qt and kdelibs

- Bump PORTREVISIONs

Approved by:	portmgr (erwin)
Security:	CVE-2006-4811
Security:	https://rhn.redhat.com/errata/RHSA-2006-0720.html

2 files changed, 141 insertions, 1 deletions

diff --git a/x11-toolkits/qt33/Makefile b/x11-toolkits/qt33/Makefile
index 580171a..6ada997 100644
--- a/x11-toolkits/qt33/Makefile
+++ b/x11-toolkits/qt33/Makefile
@@ -8,7 +8,7 @@
 
 PORTNAME=	qt
 PORTVERSION=	3.3.6
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES?=	x11-toolkits ipv6
 MASTER_SITES=	${MASTER_SITE_QT}
 DISTNAME=	qt-x11-free-${PORTVERSION}
diff --git a/x11-toolkits/qt33/files/patch-CVE-2006-4811 b/x11-toolkits/qt33/files/patch-CVE-2006-4811
new file mode 100644
index 0000000..78b4bef
--- /dev/null
+++ b/x11-toolkits/qt33/files/patch-CVE-2006-4811
@@ -0,0 +1,140 @@
+--- src/kernel/qfontengine_x11.cpp	Thu Oct 19 14:41:41 CEST 2006
++++ src/kernel/qfontengine_x11.cpp	Thu Oct 19 14:41:41 CEST 2006
+
+@@ -171,7 +171,8 @@
+ 
+     QRect br = xmat.mapRect(QRect(x, y - si->ascent, w, h));
+     QRect br2 = br & pdevRect;
+-    if (br2.width() <= 0 || br2.height() <= 0)
++    if (br2.width() <= 0 || br2.height() <= 0
++        || br2.width() >= 32768 || br2.height() >= 32768)
+         return;
+     QWMatrix mat = QPixmap::trueMatrix( xmat, w, h );
+     QBitmap wx_bm = ::transform(dpy, bm, br2.x() - br.x(), br2.y() - br.y(), br2.width(), br2.height(), mat);
+
+--- src/kernel/qimage.cpp	Thu Oct 19 14:41:41 CEST 2006
++++ src/kernel/qimage.cpp	Thu Oct 19 14:41:41 CEST 2006
+
+@@ -475,7 +475,12 @@
+ 		Endian bitOrder )
+ {
+     init();
+-    if ( w <= 0 || h <= 0 || depth <= 0 || numColors < 0 )
++    int bpl = ((w*depth+31)/32)*4;	// bytes per scanline
++    if ( w <= 0 || h <= 0 || depth <= 0 || numColors < 0
++         || INT_MAX / sizeof(uchar *) < uint(h)
++         || INT_MAX / uint(depth) < uint(w)
++         || bpl <= 0
++         || INT_MAX / uint(bpl) < uint(h) )
+ 	return;					// invalid parameter(s)
+     data->w = w;
+     data->h = h;
+@@ -483,7 +488,6 @@
+     data->ncols = depth != 32 ? numColors : 0;
+     if ( !yourdata )
+ 	return;	    // Image header info can be saved without needing to allocate memory.
+-    int bpl = ((w*depth+31)/32)*4;	// bytes per scanline
+     data->nbytes = bpl*h;
+     if ( colortable || !data->ncols ) {
+ 	data->ctbl = colortable;
+@@ -525,7 +529,10 @@
+ 		Endian bitOrder )
+ {
+     init();
+-    if ( !yourdata || w <= 0 || h <= 0 || depth <= 0 || numColors < 0 )
++    if ( !yourdata || w <= 0 || h <= 0 || depth <= 0 || numColors < 0
++         || INT_MAX / sizeof(uchar *) < uint(h)
++         || INT_MAX / uint(bpl) < uint(h)
++         )
+ 	return;					// invalid parameter(s)
+     data->w = w;
+     data->h = h;
+@@ -1264,7 +1271,7 @@
+     if ( data->ncols != numColors )		// could not alloc color table
+ 	return FALSE;
+ 
+-    if ( INT_MAX / depth < width) { // sanity check for potential overflow
++    if ( INT_MAX / uint(depth) < uint(width) ) { // sanity check for potential overflow
+ 	setNumColors( 0 );
+ 	return FALSE;
+     }
+@@ -1277,7 +1284,9 @@
+     // #### WWA: shouldn't this be (width*depth+7)/8:
+     const int pad = bpl - (width*depth)/8;	// pad with zeros
+ #endif
+-    if (INT_MAX / bpl < height) { // sanity check for potential overflow
++    if ( INT_MAX / uint(bpl) < uint(height)
++        || bpl < 0
++        || INT_MAX / sizeof(uchar *) < uint(height) ) { // sanity check for potential overflow
+ 	setNumColors( 0 );
+ 	return FALSE;
+     }
+
+--- src/kernel/qpixmap_x11.cpp	Thu Oct 19 14:41:41 CEST 2006
++++ src/kernel/qpixmap_x11.cpp	Thu Oct 19 14:41:41 CEST 2006
+
+@@ -953,6 +953,9 @@
+     bool force_mono = (dd == 1 || isQBitmap() ||
+ 		       (conversion_flags & ColorMode_Mask)==MonoOnly );
+ 
++    if ( w >= 32768 || h >= 32768 )
++        return FALSE;
++
+     // get rid of the mask
+     delete data->mask;
+     data->mask = 0;
+@@ -1678,11 +1681,11 @@
+ 
+ QPixmap QPixmap::xForm( const QWMatrix &matrix ) const
+ {
+-    int	   w = 0;
+-    int	   h = 0;				// size of target pixmap
+-    int	   ws, hs;				// size of source pixmap
++    uint   w = 0;
++    uint   h = 0;				// size of target pixmap
++    uint   ws, hs;				// size of source pixmap
+     uchar *dptr;				// data in target pixmap
+-    int	   dbpl, dbytes;			// bytes per line/bytes total
++    uint   dbpl, dbytes;			// bytes per line/bytes total
+     uchar *sptr;				// data in original pixmap
+     int	   sbpl;				// bytes per line in original
+     int	   bpp;					// bits per pixel
+@@ -1697,19 +1700,24 @@
+ 
+     QWMatrix mat( matrix.m11(), matrix.m12(), matrix.m21(), matrix.m22(), 0., 0. );
+ 
++    double scaledWidth;
++    double scaledHeight;
++
+     if ( matrix.m12() == 0.0F && matrix.m21() == 0.0F ) {
+ 	if ( matrix.m11() == 1.0F && matrix.m22() == 1.0F )
+ 	    return *this;			// identity matrix
+-	h = qRound( matrix.m22()*hs );
+-	w = qRound( matrix.m11()*ws );
+-	h = QABS( h );
+-	w = QABS( w );
++	scaledHeight = matrix.m22()*hs;
++	scaledWidth = matrix.m11()*ws;
++	h = QABS( qRound( scaledHeight ) );
++	w = QABS( qRound( scaledWidth ) );
+     } else {					// rotation or shearing
+ 	QPointArray a( QRect(0,0,ws+1,hs+1) );
+ 	a = mat.map( a );
+ 	QRect r = a.boundingRect().normalize();
+ 	w = r.width()-1;
+ 	h = r.height()-1;
++        scaledWidth = w;
++        scaledHeight = h;
+     }
+ 
+     mat = trueMatrix( mat, ws, hs ); // true matrix
+@@ -1718,7 +1726,8 @@
+     bool invertible;
+     mat = mat.invert( &invertible );		// invert matrix
+ 
+-    if ( h == 0 || w == 0 || !invertible ) {	// error, return null pixmap
++    if ( h == 0 || w == 0 || !invertible
++         || QABS(scaledWidth) >= 32768 || QABS(scaledHeight) >= 32768 ) {	// error, return null pixmap
+ 	QPixmap pm;
+ 	pm.data->bitmap = data->bitmap;
+ 	return pm;