SECURITY: Fix a division by zero when processing malformed BMP files.

This fixes a division by 0 when processing a maliciously crafted BMP
file. No impact beyond DoS.

PKGREVISION++.

3 files changed, 34 insertions, 2 deletions

diff --git a/x11/qt5-qtbase/Makefile b/x11/qt5-qtbase/Makefile
index d6e5ec630e3..b9f1c283419 100644
--- a/x11/qt5-qtbase/Makefile
+++ b/x11/qt5-qtbase/Makefile
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.17 2015/02/19 14:26:21 joerg Exp $
+# $NetBSD: Makefile,v 1.18 2015/03/28 17:04:50 bsiegert Exp $
 
 DISTNAME=	qtbase-opensource-src-${QTVERSION}
 PKGNAME=	qt5-qtbase-${QTVERSION}
+PKGREVISION=	1
 COMMENT=	C++ X GUI toolkit
 
 .include "../../x11/qt5-qtbase/Makefile.common"
diff --git a/x11/qt5-qtbase/distinfo b/x11/qt5-qtbase/distinfo
index 1428f31c52b..7b9944597e8 100644
--- a/x11/qt5-qtbase/distinfo
+++ b/x11/qt5-qtbase/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.16 2015/02/14 22:12:34 nros Exp $
+$NetBSD: distinfo,v 1.17 2015/03/28 17:04:50 bsiegert Exp $
 
 SHA1 (qtbase-opensource-src-5.4.0.tar.xz) = 2e3d32f32e36a92782ca66c260940824746900bd
 RMD160 (qtbase-opensource-src-5.4.0.tar.xz) = 0df3e024b331c705e895fb5bb76cacd71c6e4909
@@ -19,6 +19,7 @@ SHA1 (patch-src_corelib_global_qsystemdetection.h) = 9bdf20f66818ca1dd2a825a7491
 SHA1 (patch-src_corelib_io_io.pri) = c4bb37370849bfbc994809825ff94090d71a7116
 SHA1 (patch-src_corelib_io_qfilesystemwatcher.cpp) = 7732cae95975af17e0618667b979c3b84d51adae
 SHA1 (patch-src_corelib_io_qstorageinfo_unix.cpp) = 271f12fc32ffea7c72e62e8add20abf6939b275a
+SHA1 (patch-src_gui_image_qbmphandler.cpp) = 1e540711365f056657100ec84b22789e60443c98
 SHA1 (patch-src_network_kernel_qhostinfo__unix.cpp) = 0335273353daa7c980ccb4febb6eed11b452e50d
 SHA1 (patch-src_platformsupport_platformsupport.pro) = 2aa60936578458cf241ca893771897f7d34fe081
 SHA1 (patch-src_plugins_platforminputcontexts_compose_compose.pro) = 86f828bd545fe53c626fde0a645213077b88ef64
diff --git a/x11/qt5-qtbase/patches/patch-src_gui_image_qbmphandler.cpp b/x11/qt5-qtbase/patches/patch-src_gui_image_qbmphandler.cpp
new file mode 100644
index 00000000000..1c64efc5c36
--- /dev/null
+++ b/x11/qt5-qtbase/patches/patch-src_gui_image_qbmphandler.cpp
@@ -0,0 +1,30 @@
+$NetBSD: patch-src_gui_image_qbmphandler.cpp,v 1.1 2015/03/28 17:04:50 bsiegert Exp $
+https://codereview.qt-project.org/#/c/106929/4
+
+Fix a division by zero when processing malformed BMP files.
+
+This fixes a division by 0 when processing a maliciously crafted BMP
+file. No impact beyond DoS.
+--- src/gui/image/qbmphandler.cpp.orig	2015-03-24 21:58:44.000000000 +0000
++++ src/gui/image/qbmphandler.cpp
+@@ -314,12 +314,20 @@ static bool read_dib_body(QDataStream &s
+         }
+     } else if (comp == BMP_BITFIELDS && (nbits == 16 || nbits == 32)) {
+         red_shift = calc_shift(red_mask);
++	if (((red_mask >> red_shift) + 1) == 0)
++            return false;
+         red_scale = 256 / ((red_mask >> red_shift) + 1);
+         green_shift = calc_shift(green_mask);
++	if (((green_mask >> green_shift) + 1) == 0)
++            return false;
+         green_scale = 256 / ((green_mask >> green_shift) + 1);
+         blue_shift = calc_shift(blue_mask);
++	if (((blue_mask >> blue_shift) + 1) == 0)
++            return false;
+         blue_scale = 256 / ((blue_mask >> blue_shift) + 1);
+         alpha_shift = calc_shift(alpha_mask);
++	if (((alpha_mask >> alpha_shift) + 1) == 0)
++            return false;
+         alpha_scale = 256 / ((alpha_mask >> alpha_shift) + 1);
+     } else if (comp == BMP_RGB && (nbits == 24 || nbits == 32)) {
+         blue_mask = 0x000000ff;