From 39f6a0510d3f80c10c9d04a840cb80462534ae89 Mon Sep 17 00:00:00 2001
From: Than Ngo <than@redhat.com>
Date: Aug 13 2020 09:29:37 +0000
Subject: fixed #1868534 - CVE-2020-17507


---

diff --git a/qt-CVE-2020-17507.patch b/qt-CVE-2020-17507.patch
new file mode 100644
index 0000000..3504b36
--- /dev/null
+++ b/qt-CVE-2020-17507.patch
@@ -0,0 +1,14 @@
+diff -up qt-everywhere-opensource-src-4.8.7/src/gui/image/qxbmhandler.cpp.me qt-everywhere-opensource-src-4.8.7/src/gui/image/qxbmhandler.cpp
+--- qt-everywhere-opensource-src-4.8.7/src/gui/image/qxbmhandler.cpp.me	2020-08-13 11:20:45.943402169 +0200
++++ qt-everywhere-opensource-src-4.8.7/src/gui/image/qxbmhandler.cpp	2020-08-13 11:21:26.025976881 +0200
+@@ -154,7 +154,9 @@ static bool read_xbm_body(QIODevice *dev
+     w = (w+7)/8;                                // byte width
+ 
+     while (y < h) {                                // for all encoded bytes...
+-        if (p) {                                // p = "0x.."
++        if (p && p < (buf + readBytes - 3)) {      // p = "0x.."
++            if (!isxdigit(p[2]) || !isxdigit(p[3]))
++                return false;
+             *b++ = hex2byte(p+2);
+             p += 2;
+             if (++x == w && ++y < h) {
diff --git a/qt.spec b/qt.spec
index 93043c7..23640d8 100644
--- a/qt.spec
+++ b/qt.spec
@@ -43,7 +43,7 @@ Summary: Qt toolkit
 Name:    qt
 Epoch:   1
 Version: 4.8.7
-Release: 54%{?dist}
+Release: 55%{?dist}
 
 # See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
 License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
@@ -225,6 +225,9 @@ Patch181: qt-everywhere-opensource-src-4.8.7-qforeach.patch
 # CVE-2018-19872 qt: malformed PPM image causing division by zero and crash in qppmhandler.cpp
 Patch500: qt-everywhere-opensource-src-4.8.7-crash-in-qppmhandler.patch
 
+# CVE-2020-17507 qt: buffer over-read in read_xbm_body in gui/image/qxbmhandler.cpp
+Patch501: qt-CVE-2020-17507.patch
+
 # desktop files
 Source20: assistant.desktop
 Source21: designer.desktop
@@ -656,6 +659,7 @@ rm -rf src/3rdparty/clucene
 
 # security fixes
 %patch500 -p1 -b .malformed-ppb-image-causing-crash
+%patch501 -p1 -b .buffer-over-read-in-read_xbm_body
 
 # regression fixes for the security fixes
 %patch84 -p1 -b .QTBUG-35459
@@ -1378,6 +1382,9 @@ fi
 
 
 %changelog
+* Thu Aug 13 2020 Than Ngo <than@redhat.com> - 4.8.7-55
+- fixed #1868534 - CVE-2020-17507
+
 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:4.8.7-54
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild