From 63fcd60094d9b7f6240647beec2d9c11a1ef8dee Mon Sep 17 00:00:00 2001
From: Kevin Kofler <Kevin@tigcc.ticalc.org>
Date: Apr 21 2015 23:47:13 +0000
Subject: backport CVE-2015-1860 (GIF handler buffer overflow, #1210675) fix from Qt 4


* Tue Apr 21 2015 Kevin Kofler <Kevin@tigcc.ticalc.org> - 3.3.8b-63
- backport CVE-2015-1860 (GIF handler buffer overflow, #1210675) fix from Qt 4

NOTE: Qt 3 is NOT vulnerable to CVE-2015-1858 nor CVE-2015-1859.

---

diff --git a/qt-x11-free-3.3.8b-CVE-2015-1860.patch b/qt-x11-free-3.3.8b-CVE-2015-1860.patch
new file mode 100644
index 0000000..d82f9a3
--- /dev/null
+++ b/qt-x11-free-3.3.8b-CVE-2015-1860.patch
@@ -0,0 +1,12 @@
+diff -ur qt-x11-free-3.3.8b/src/kernel/qasyncimageio.cpp qt-x11-free-3.3.8b-CVE-2015-1860/src/kernel/qasyncimageio.cpp
+--- qt-x11-free-3.3.8b/src/kernel/qasyncimageio.cpp	2008-01-15 20:09:13.000000000 +0100
++++ qt-x11-free-3.3.8b-CVE-2015-1860/src/kernel/qasyncimageio.cpp	2015-04-22 01:30:03.000000000 +0200
+@@ -1221,6 +1221,8 @@
+ 
+ void QGIFFormat::nextY(QImage& img, QImageConsumer* consumer)
+ {
++    if (out_of_bounds)
++        return;
+     int my;
+     switch (interlace) {
+       case 0:
diff --git a/qt3.spec b/qt3.spec
index 26f1bba..062b30f 100644
--- a/qt3.spec
+++ b/qt3.spec
@@ -6,7 +6,7 @@
 Name: qt3
 Summary: The shared library for the Qt 3 GUI toolkit
 Version: 3.3.8b
-Release: 62%{?dist}
+Release: 63%{?dist}
 License: QPL or GPLv2 or GPLv3
 Group: System Environment/Libraries
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -93,6 +93,8 @@ Patch300: qt-x11-free-3.3.8b-CVE-2013-4549.patch
 Patch301: qt-x11-free-3.3.8b-CVE-2014-0190.patch
 # fix for CVE-2015-0295 backported from Qt 4
 Patch302: qt-x11-free-3.3.8b-CVE-2015-0295.patch
+# fix for CVE-2015-1860 backported from Qt 4
+Patch303: qt-x11-free-3.3.8b-CVE-2015-1860.patch
 
 %define qt_dirname qt-3.3
 %define qtdir %{_libdir}/%{qt_dirname}
@@ -346,6 +348,7 @@ sed -i.KDE3_PLUGIN_PATH \
 %patch300 -p1 -b .CVE-2013-4549
 %patch301 -p1 -b .CVE-2014-0190
 %patch302 -p1 -b .CVE-2015-0295
+%patch303 -p1 -b .CVE-2015-1860
 
 # convert to UTF-8
 iconv -f iso-8859-1 -t utf-8 < doc/man/man3/qdial.3qt > doc/man/man3/qdial.3qt_
@@ -642,6 +645,9 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Tue Apr 21 2015 Kevin Kofler <Kevin@tigcc.ticalc.org> - 3.3.8b-63
+- backport CVE-2015-1860 (GIF handler buffer overflow, #1210675) fix from Qt 4
+
 * Sat Feb 28 2015 Kevin Kofler <Kevin@tigcc.ticalc.org> - 3.3.8b-62
 - backport CVE-2015-0295 (BMP image handler DoS, #1197275) fix from Qt 4