Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/x11-libs/qt/files
diff options
context:
space:
mode:
authorDiego Elio Pettenò <flameeyes@gentoo.org>2006-10-20 18:17:18 +0000
committerDiego Elio Pettenò <flameeyes@gentoo.org>2006-10-20 18:17:18 +0000
commit69d909795fd1e508682e1a8acfe54782cb8b3567 (patch)
tree05feefa5a5503a2fd39fea5c626dd7486c449046 /x11-libs/qt/files
parentstable and unstable version bumps (bug #151860) (diff)
downloadgentoo-2-69d909795fd1e508682e1a8acfe54782cb8b3567.tar.gz
gentoo-2-69d909795fd1e508682e1a8acfe54782cb8b3567.tar.bz2
gentoo-2-69d909795fd1e508682e1a8acfe54782cb8b3567.zip
Add new version of the patches for CVE-2006-4811 directly from Trolltech, hopefully fixing the problems for good.
(Portage version: 2.1.2_pre3-r5)
Diffstat (limited to 'x11-libs/qt/files')
-rw-r--r--x11-libs/qt/files/digest-qt-3.3.6-r46
-rw-r--r--x11-libs/qt/files/digest-qt-4.1.4-r23
-rw-r--r--x11-libs/qt/files/digest-qt-4.2.0-r23
-rw-r--r--x11-libs/qt/files/qt-3.3.6-CVE-2006-4811-bis.patch140
-rw-r--r--x11-libs/qt/files/qt-4.1.4-CVE-2006-4811-bis.patch179
-rw-r--r--x11-libs/qt/files/qt-4.2.0-CVE-2006-4811-bis.patch179
6 files changed, 510 insertions, 0 deletions
diff --git a/x11-libs/qt/files/digest-qt-3.3.6-r4 b/x11-libs/qt/files/digest-qt-3.3.6-r4
new file mode 100644
index 000000000000..935dada8500c
--- /dev/null
+++ b/x11-libs/qt/files/digest-qt-3.3.6-r4
@@ -0,0 +1,6 @@
+MD5 dc1384c03ac08af21f6fefab32d982cf qt-x11-free-3.3.6.tar.bz2 14565843
+RMD160 84c0b6bc6dc727d40a5a8df29a81aafc743c0161 qt-x11-free-3.3.6.tar.bz2 14565843
+SHA256 04f12083f6a6f7a8fd4d34a6c1efd37db76a67580c424f4fb7b7c43c0565e6ae qt-x11-free-3.3.6.tar.bz2 14565843
+MD5 08e49b5372bd44f973d8f2263458a5b6 qt-x11-immodule-unified-qt3.3.6-20060317-gentoo.diff.bz2 110200
+RMD160 51e480e651261796622a0d824ad549fd5e90089a qt-x11-immodule-unified-qt3.3.6-20060317-gentoo.diff.bz2 110200
+SHA256 e67d8720903ded64c1e2eadc91f2fd8cfb5d08e0d71addf17499f21a0891df18 qt-x11-immodule-unified-qt3.3.6-20060317-gentoo.diff.bz2 110200
diff --git a/x11-libs/qt/files/digest-qt-4.1.4-r2 b/x11-libs/qt/files/digest-qt-4.1.4-r2
new file mode 100644
index 000000000000..bf0aa52f457e
--- /dev/null
+++ b/x11-libs/qt/files/digest-qt-4.1.4-r2
@@ -0,0 +1,3 @@
+MD5 88f8c9c4622108baca2950baac3c02d6 qt-x11-opensource-src-4.1.4.tar.gz 32174985
+RMD160 a7e8558f275751b1a6217827784c3b81f84d6d5f qt-x11-opensource-src-4.1.4.tar.gz 32174985
+SHA256 1687e40065023469fa308d47db6158a529ee42e740e38cb5c89e6f20ee68e59c qt-x11-opensource-src-4.1.4.tar.gz 32174985
diff --git a/x11-libs/qt/files/digest-qt-4.2.0-r2 b/x11-libs/qt/files/digest-qt-4.2.0-r2
new file mode 100644
index 000000000000..f1fdcfed86c0
--- /dev/null
+++ b/x11-libs/qt/files/digest-qt-4.2.0-r2
@@ -0,0 +1,3 @@
+MD5 2c062a125d5ca66397e3430ba537fbec qt-x11-opensource-src-4.2.0.tar.gz 37084418
+RMD160 d9825a32fcfd495bf61316b4ee346a78ef5cc4f8 qt-x11-opensource-src-4.2.0.tar.gz 37084418
+SHA256 80abfeca291291ee4647c13fcd113741b98accb0205361cb2b18a914f4c0caba qt-x11-opensource-src-4.2.0.tar.gz 37084418
diff --git a/x11-libs/qt/files/qt-3.3.6-CVE-2006-4811-bis.patch b/x11-libs/qt/files/qt-3.3.6-CVE-2006-4811-bis.patch
new file mode 100644
index 000000000000..9a42a34bb294
--- /dev/null
+++ b/x11-libs/qt/files/qt-3.3.6-CVE-2006-4811-bis.patch
@@ -0,0 +1,140 @@
+--- //depot/qt/3/src/kernel/qfontengine_x11.cpp Thu Oct 19 14:41:41 CEST 2006
++++ //depot/qt/3/src/kernel/qfontengine_x11.cpp Thu Oct 19 14:41:41 CEST 2006
+
+@@ -171,7 +171,8 @@
+
+ QRect br = xmat.mapRect(QRect(x, y - si->ascent, w, h));
+ QRect br2 = br & pdevRect;
+- if (br2.width() <= 0 || br2.height() <= 0)
++ if (br2.width() <= 0 || br2.height() <= 0
++ || br2.width() >= 32768 || br2.height() >= 32768)
+ return;
+ QWMatrix mat = QPixmap::trueMatrix( xmat, w, h );
+ QBitmap wx_bm = ::transform(dpy, bm, br2.x() - br.x(), br2.y() - br.y(), br2.width(), br2.height(), mat);
+
+--- //depot/qt/3/src/kernel/qimage.cpp Thu Oct 19 14:41:41 CEST 2006
++++ //depot/qt/3/src/kernel/qimage.cpp Thu Oct 19 14:41:41 CEST 2006
+
+@@ -475,7 +475,12 @@
+ Endian bitOrder )
+ {
+ init();
+- if ( w <= 0 || h <= 0 || depth <= 0 || numColors < 0 )
++ int bpl = ((w*depth+31)/32)*4; // bytes per scanline
++ if ( w <= 0 || h <= 0 || depth <= 0 || numColors < 0
++ || INT_MAX / sizeof(uchar *) < uint(h)
++ || INT_MAX / uint(depth) < uint(w)
++ || bpl <= 0
++ || INT_MAX / uint(bpl) < uint(h) )
+ return; // invalid parameter(s)
+ data->w = w;
+ data->h = h;
+@@ -483,7 +488,6 @@
+ data->ncols = depth != 32 ? numColors : 0;
+ if ( !yourdata )
+ return; // Image header info can be saved without needing to allocate memory.
+- int bpl = ((w*depth+31)/32)*4; // bytes per scanline
+ data->nbytes = bpl*h;
+ if ( colortable || !data->ncols ) {
+ data->ctbl = colortable;
+@@ -525,7 +529,10 @@
+ Endian bitOrder )
+ {
+ init();
+- if ( !yourdata || w <= 0 || h <= 0 || depth <= 0 || numColors < 0 )
++ if ( !yourdata || w <= 0 || h <= 0 || depth <= 0 || numColors < 0
++ || INT_MAX / sizeof(uchar *) < uint(h)
++ || INT_MAX / uint(bpl) < uint(h)
++ )
+ return; // invalid parameter(s)
+ data->w = w;
+ data->h = h;
+@@ -1264,7 +1271,7 @@
+ if ( data->ncols != numColors ) // could not alloc color table
+ return FALSE;
+
+- if ( INT_MAX / depth < width) { // sanity check for potential overflow
++ if ( INT_MAX / uint(depth) < uint(width) ) { // sanity check for potential overflow
+ setNumColors( 0 );
+ return FALSE;
+ }
+@@ -1277,7 +1284,9 @@
+ // #### WWA: shouldn't this be (width*depth+7)/8:
+ const int pad = bpl - (width*depth)/8; // pad with zeros
+ #endif
+- if (INT_MAX / bpl < height) { // sanity check for potential overflow
++ if ( INT_MAX / uint(bpl) < uint(height)
++ || bpl < 0
++ || INT_MAX / sizeof(uchar *) < uint(height) ) { // sanity check for potential overflow
+ setNumColors( 0 );
+ return FALSE;
+ }
+
+--- //depot/qt/3/src/kernel/qpixmap_x11.cpp Thu Oct 19 14:41:41 CEST 2006
++++ //depot/qt/3/src/kernel/qpixmap_x11.cpp Thu Oct 19 14:41:41 CEST 2006
+
+@@ -953,6 +953,9 @@
+ bool force_mono = (dd == 1 || isQBitmap() ||
+ (conversion_flags & ColorMode_Mask)==MonoOnly );
+
++ if ( w >= 32768 || h >= 32768 )
++ return FALSE;
++
+ // get rid of the mask
+ delete data->mask;
+ data->mask = 0;
+@@ -1678,11 +1681,11 @@
+
+ QPixmap QPixmap::xForm( const QWMatrix &matrix ) const
+ {
+- int w = 0;
+- int h = 0; // size of target pixmap
+- int ws, hs; // size of source pixmap
++ uint w = 0;
++ uint h = 0; // size of target pixmap
++ uint ws, hs; // size of source pixmap
+ uchar *dptr; // data in target pixmap
+- int dbpl, dbytes; // bytes per line/bytes total
++ uint dbpl, dbytes; // bytes per line/bytes total
+ uchar *sptr; // data in original pixmap
+ int sbpl; // bytes per line in original
+ int bpp; // bits per pixel
+@@ -1697,19 +1700,24 @@
+
+ QWMatrix mat( matrix.m11(), matrix.m12(), matrix.m21(), matrix.m22(), 0., 0. );
+
++ double scaledWidth;
++ double scaledHeight;
++
+ if ( matrix.m12() == 0.0F && matrix.m21() == 0.0F ) {
+ if ( matrix.m11() == 1.0F && matrix.m22() == 1.0F )
+ return *this; // identity matrix
+- h = qRound( matrix.m22()*hs );
+- w = qRound( matrix.m11()*ws );
+- h = QABS( h );
+- w = QABS( w );
++ scaledHeight = matrix.m22()*hs;
++ scaledWidth = matrix.m11()*ws;
++ h = QABS( qRound( scaledHeight ) );
++ w = QABS( qRound( scaledWidth ) );
+ } else { // rotation or shearing
+ QPointArray a( QRect(0,0,ws+1,hs+1) );
+ a = mat.map( a );
+ QRect r = a.boundingRect().normalize();
+ w = r.width()-1;
+ h = r.height()-1;
++ scaledWidth = w;
++ scaledHeight = h;
+ }
+
+ mat = trueMatrix( mat, ws, hs ); // true matrix
+@@ -1718,7 +1726,8 @@
+ bool invertible;
+ mat = mat.invert( &invertible ); // invert matrix
+
+- if ( h == 0 || w == 0 || !invertible ) { // error, return null pixmap
++ if ( h == 0 || w == 0 || !invertible
++ || QABS(scaledWidth) >= 32768 || QABS(scaledHeight) >= 32768 ) { // error, return null pixmap
+ QPixmap pm;
+ pm.data->bitmap = data->bitmap;
+ return pm;
diff --git a/x11-libs/qt/files/qt-4.1.4-CVE-2006-4811-bis.patch b/x11-libs/qt/files/qt-4.1.4-CVE-2006-4811-bis.patch
new file mode 100644
index 000000000000..e57cbb2f8e36
--- /dev/null
+++ b/x11-libs/qt/files/qt-4.1.4-CVE-2006-4811-bis.patch
@@ -0,0 +1,179 @@
+--- qt/4.1.5/src/gui/image/qimage.cpp Fri Oct 20 10:22:49 CEST 2006
++++ qt/4.1.5/src/gui/image/qimage.cpp Fri Oct 20 10:22:49 CEST 2006
+@@ -180,12 +180,12 @@
+
+ QImageData * QImageData::create(const QSize &size, QImage::Format format, int numColors)
+ {
+- int width = size.width();
+- int height = size.height();
+- if (width <= 0 || height <= 0 || numColors < 0 || format == QImage::Format_Invalid)
++ if (!size.isValid() || numColors < 0 || format == QImage::Format_Invalid)
+ return 0; // invalid parameter(s)
++ uint width = size.width();
++ uint height = size.height();
+
+- int depth = 0;
++ uint depth = 0;
+ switch(format) {
+ case QImage::NImageFormats:
+ case QImage::Format_Invalid:
+@@ -214,6 +214,15 @@
+ #endif
+ }
+
++ const int bytes_per_line = ((width * depth + 31) >> 5) << 2; // bytes per scanline (must be multiple of 8)
++
++ // sanity check for potential overflows
++ if (INT_MAX/depth < width
++ || bytes_per_line <= 0
++ || INT_MAX/uint(bytes_per_line) < height
++ || INT_MAX/sizeof(uchar *) < uint(height))
++ return 0;
++
+ QImageData *d = new QImageData;
+ d->colortable.resize(numColors);
+ if (depth == 1) {
+@@ -230,7 +239,7 @@
+ d->format = format;
+ d->has_alpha_clut = false;
+
+- d->bytes_per_line = ((width * d->depth + 31) >> 5) << 2; // bytes per scanline (must be multiple of 8)
++ d->bytes_per_line = bytes_per_line;
+
+ d->nbytes = d->bytes_per_line*height;
+ d->data = (uchar *)malloc(d->nbytes);
+@@ -753,7 +762,16 @@
+ : QPaintDevice()
+ {
+ d = 0;
+- if (format == Format_Invalid || width <= 0 || height <= 0 || !data)
++
++ if (format == Format_Invalid )
++ return;
++ const int depth = depthForFormat(format);
++ const int bytes_per_line = ((width * depth + 31)/32) * 4;
++ if (width <= 0 || height <= 0 || !data
++ || INT_MAX/sizeof(uchar *) < uint(height)
++ || INT_MAX/uint(depth) < uint(width)
++ || bytes_per_line <= 0
++ || INT_MAX/uint(bytes_per_line) < uint(height))
+ return; // invalid parameter(s)
+ d = new QImageData;
+ d->ref.ref();
+@@ -762,10 +780,10 @@
+ d->data = data;
+ d->width = width;
+ d->height = height;
+- d->depth = depthForFormat(format);
++ d->depth = depth;
+ d->format = format;
+
+- d->bytes_per_line = ((width * d->depth + 31)/32) * 4;
++ d->bytes_per_line = bytes_per_line;
+ d->nbytes = d->bytes_per_line * height;
+ }
+
+@@ -987,7 +1005,13 @@
+ Format f = formatFor(depth, bitOrder);
+ if (f == Format_Invalid)
+ return;
+- if (w <= 0 || h <= 0 || numColors < 0 || !data)
++
++ const int bytes_per_line = ((w*depth+31)/32)*4; // bytes per scanline
++ if (w <= 0 || h <= 0 || numColors < 0 || !data
++ || INT_MAX/sizeof(uchar *) < uint(h)
++ || INT_MAX/uint(depth) < uint(w)
++ || bytes_per_line <= 0
++ || INT_MAX/uint(bytes_per_line) < uint(h))
+ return; // invalid parameter(s)
+ d = new QImageData;
+ d->ref.ref();
+@@ -1001,7 +1025,7 @@
+ if (depth == 32)
+ numColors = 0;
+
+- d->bytes_per_line = ((w*depth+31)/32)*4; // bytes per scanline
++ d->bytes_per_line = bytes_per_line;
+ d->nbytes = d->bytes_per_line * h;
+ if (colortable) {
+ d->colortable.resize(numColors);
+@@ -1035,7 +1059,11 @@
+ Format f = formatFor(depth, bitOrder);
+ if (f == Format_Invalid)
+ return;
+- if (!data || w <= 0 || h <= 0 || depth <= 0 || numColors < 0)
++ if (!data || w <= 0 || h <= 0 || depth <= 0 || numColors < 0
++ || INT_MAX/sizeof(uchar *) < uint(h)
++ || INT_MAX/uint(depth) < uint(w)
++ || bpl <= 0
++ || INT_MAX/uint(bpl) < uint(h))
+ return; // invalid parameter(s)
+
+ d = new QImageData;
+--- qt/4.1.5/src/gui/image/qpixmap_x11.cpp Fri Oct 20 10:22:59 CEST 2006
++++ qt/4.1.5/src/gui/image/qpixmap_x11.cpp Fri Oct 20 10:22:59 CEST 2006
+@@ -978,6 +978,9 @@
+ const int dd = X11->use_xrender && img.hasAlphaChannel() ? 32 : pixmap.data->xinfo.depth();
+ bool force_mono = (dd == 1 || (flags & Qt::ColorMode_Mask) == Qt::MonoOnly);
+
++ if (uint(w) >= 32768 || uint(h) >= 32768)
++ return QPixmap();
++
+ // must be monochrome
+ if (force_mono) {
+ if (d != 1) {
+@@ -1787,11 +1790,11 @@
+
+ QPixmap QPixmap::transformed(const QMatrix &matrix, Qt::TransformationMode mode) const
+ {
+- int w = 0;
+- int h = 0; // size of target pixmap
+- int ws, hs; // size of source pixmap
++ uint w = 0;
++ uint h = 0; // size of target pixmap
++ uint ws, hs; // size of source pixmap
+ uchar *dptr; // data in target pixmap
+- int dbpl, dbytes; // bytes per line/bytes total
++ uint dbpl, dbytes; // bytes per line/bytes total
+ uchar *sptr; // data in original pixmap
+ int sbpl; // bytes per line in original
+ int bpp; // bits per pixel
+@@ -1806,20 +1809,24 @@
+
+ QMatrix mat(matrix.m11(), matrix.m12(), matrix.m21(), matrix.m22(), 0., 0.);
+ bool complex_xform = false;
++ qreal scaledWidth;
++ qreal scaledHeight;
+
+ if (mat.m12() == 0.0F && mat.m21() == 0.0F) {
+ if (mat.m11() == 1.0F && mat.m22() == 1.0F) // identity matrix
+ return *this;
+- h = int(qAbs(mat.m22()) * hs + 0.9999);
+- w = int(qAbs(mat.m11()) * ws + 0.9999);
+- h = qAbs(h);
+- w = qAbs(w);
++ scaledHeight = qAbs(mat.m22()) * hs + 0.9999;
++ scaledWidth = qAbs(mat.m11()) * ws + 0.9999;
++ h = qAbs(int(scaledHeight));
++ w = qAbs(int(scaledWidth));
+ } else { // rotation or shearing
+ QPolygonF a(QRectF(0, 0, ws+1, hs+1));
+ a = mat.map(a);
+ QRectF r = a.boundingRect().normalized();
+ w = int(r.width() + 0.9999);
+ h = int(r.height() + 0.9999);
++ scaledWidth = w;
++ scaledHeight = h;
+ complex_xform = true;
+ }
+ mat = trueMatrix(mat, ws, hs); // true matrix
+@@ -1828,7 +1835,8 @@
+ bool invertible;
+ mat = mat.inverted(&invertible); // invert matrix
+
+- if (h == 0 || w == 0 || !invertible)
++ if (h == 0 || w == 0 || !invertible
++ || qAbs(scaledWidth) >= 32768 || qAbs(scaledHeight) >= 32768 ) // error, return null pixmap
+ return QPixmap();
+
+ if (mode == Qt::SmoothTransformation) {
diff --git a/x11-libs/qt/files/qt-4.2.0-CVE-2006-4811-bis.patch b/x11-libs/qt/files/qt-4.2.0-CVE-2006-4811-bis.patch
new file mode 100644
index 000000000000..1150dc9ac587
--- /dev/null
+++ b/x11-libs/qt/files/qt-4.2.0-CVE-2006-4811-bis.patch
@@ -0,0 +1,179 @@
+--- //depot/qt/4.2/src/gui/image/qimage.cpp Fri Oct 20 10:25:38 CEST 2006
++++ //depot/qt/4.2/src/gui/image/qimage.cpp Fri Oct 20 10:25:38 CEST 2006
+@@ -208,12 +208,12 @@
+
+ QImageData * QImageData::create(const QSize &size, QImage::Format format, int numColors)
+ {
+- int width = size.width();
+- int height = size.height();
+- if (width <= 0 || height <= 0 || numColors < 0 || format == QImage::Format_Invalid)
++ if (!size.isValid() || numColors < 0 || format == QImage::Format_Invalid)
+ return 0; // invalid parameter(s)
++ uint width = size.width();
++ uint height = size.height();
+
+- int depth = 0;
++ uint depth = 0;
+ switch(format) {
+ case QImage::NImageFormats:
+ case QImage::Format_Invalid:
+@@ -240,6 +240,15 @@
+ break;
+ }
+
++ const int bytes_per_line = ((width * depth + 31) >> 5) << 2; // bytes per scanline (must be multiple of 8)
++
++ // sanity check for potential overflows
++ if (INT_MAX/depth < width
++ || bytes_per_line <= 0
++ || INT_MAX/uint(bytes_per_line) < height
++ || INT_MAX/sizeof(uchar *) < uint(height))
++ return 0;
++
+ QImageData *d = new QImageData;
+ d->colortable.resize(numColors);
+ if (depth == 1) {
+@@ -256,7 +265,7 @@
+ d->format = format;
+ d->has_alpha_clut = false;
+
+- d->bytes_per_line = ((width * d->depth + 31) >> 5) << 2; // bytes per scanline (must be multiple of 8)
++ d->bytes_per_line = bytes_per_line;
+
+ d->nbytes = d->bytes_per_line*height;
+ d->data = (uchar *)malloc(d->nbytes);
+@@ -783,7 +792,16 @@
+ : QPaintDevice()
+ {
+ d = 0;
+- if (format == Format_Invalid || width <= 0 || height <= 0 || !data)
++
++ if (format == Format_Invalid )
++ return;
++ const int depth = depthForFormat(format);
++ const int bytes_per_line = ((width * depth + 31)/32) * 4;
++ if (width <= 0 || height <= 0 || !data
++ || INT_MAX/sizeof(uchar *) < uint(height)
++ || INT_MAX/uint(depth) < uint(width)
++ || bytes_per_line <= 0
++ || INT_MAX/uint(bytes_per_line) < uint(height))
+ return; // invalid parameter(s)
+ d = new QImageData;
+ d->ref.ref();
+@@ -792,10 +810,10 @@
+ d->data = data;
+ d->width = width;
+ d->height = height;
+- d->depth = depthForFormat(format);
++ d->depth = depth;
+ d->format = format;
+
+- d->bytes_per_line = ((width * d->depth + 31)/32) * 4;
++ d->bytes_per_line = bytes_per_line;
+ d->nbytes = d->bytes_per_line * height;
+ }
+
+@@ -1055,7 +1073,13 @@
+ Format f = formatFor(depth, bitOrder);
+ if (f == Format_Invalid)
+ return;
+- if (w <= 0 || h <= 0 || numColors < 0 || !data)
++
++ const int bytes_per_line = ((w*depth+31)/32)*4; // bytes per scanline
++ if (w <= 0 || h <= 0 || numColors < 0 || !data
++ || INT_MAX/sizeof(uchar *) < uint(h)
++ || INT_MAX/uint(depth) < uint(w)
++ || bytes_per_line <= 0
++ || INT_MAX/uint(bytes_per_line) < uint(h))
+ return; // invalid parameter(s)
+ d = new QImageData;
+ d->ref.ref();
+@@ -1069,7 +1093,7 @@
+ if (depth == 32)
+ numColors = 0;
+
+- d->bytes_per_line = ((w*depth+31)/32)*4; // bytes per scanline
++ d->bytes_per_line = bytes_per_line;
+ d->nbytes = d->bytes_per_line * h;
+ if (colortable) {
+ d->colortable.resize(numColors);
+@@ -1104,7 +1128,11 @@
+ Format f = formatFor(depth, bitOrder);
+ if (f == Format_Invalid)
+ return;
+- if (!data || w <= 0 || h <= 0 || depth <= 0 || numColors < 0)
++ if (!data || w <= 0 || h <= 0 || depth <= 0 || numColors < 0
++ || INT_MAX/sizeof(uchar *) < uint(h)
++ || INT_MAX/uint(depth) < uint(w)
++ || bpl <= 0
++ || INT_MAX/uint(bpl) < uint(h))
+ return; // invalid parameter(s)
+
+ d = new QImageData;
+--- //depot/qt/4.2/src/gui/image/qpixmap_x11.cpp Fri Oct 20 10:26:21 CEST 2006
++++ //depot/qt/4.2/src/gui/image/qpixmap_x11.cpp Fri Oct 20 10:26:21 CEST 2006
+@@ -993,6 +993,9 @@
+ const int dd = X11->use_xrender && img.hasAlphaChannel() ? 32 : pixmap.data->xinfo.depth();
+ bool force_mono = (dd == 1 || (flags & Qt::ColorMode_Mask) == Qt::MonoOnly);
+
++ if (uint(w) >= 32768 || uint(h) >= 32768)
++ return QPixmap();
++
+ // must be monochrome
+ if (force_mono) {
+ if (d != 1) {
+@@ -1802,11 +1805,11 @@
+
+ QPixmap QPixmap::transformed(const QMatrix &matrix, Qt::TransformationMode mode) const
+ {
+- int w = 0;
+- int h = 0; // size of target pixmap
+- int ws, hs; // size of source pixmap
++ uint w = 0;
++ uint h = 0; // size of target pixmap
++ uint ws, hs; // size of source pixmap
+ uchar *dptr; // data in target pixmap
+- int dbpl, dbytes; // bytes per line/bytes total
++ uint dbpl, dbytes; // bytes per line/bytes total
+ uchar *sptr; // data in original pixmap
+ int sbpl; // bytes per line in original
+ int bpp; // bits per pixel
+@@ -1821,20 +1824,24 @@
+
+ QMatrix mat(matrix.m11(), matrix.m12(), matrix.m21(), matrix.m22(), 0., 0.);
+ bool complex_xform = false;
++ qreal scaledWidth;
++ qreal scaledHeight;
+
+ if (mat.m12() == 0.0F && mat.m21() == 0.0F) {
+ if (mat.m11() == 1.0F && mat.m22() == 1.0F) // identity matrix
+ return *this;
+- h = int(qAbs(mat.m22()) * hs + 0.9999);
+- w = int(qAbs(mat.m11()) * ws + 0.9999);
+- h = qAbs(h);
+- w = qAbs(w);
++ scaledHeight = qAbs(mat.m22()) * hs + 0.9999;
++ scaledWidth = qAbs(mat.m11()) * ws + 0.9999;
++ h = qAbs(int(scaledHeight));
++ w = qAbs(int(scaledWidth));
+ } else { // rotation or shearing
+ QPolygonF a(QRectF(0, 0, ws+1, hs+1));
+ a = mat.map(a);
+ QRectF r = a.boundingRect().normalized();
+ w = int(r.width() + 0.9999);
+ h = int(r.height() + 0.9999);
++ scaledWidth = w;
++ scaledHeight = h;
+ complex_xform = true;
+ }
+ mat = trueMatrix(mat, ws, hs); // true matrix
+@@ -1843,7 +1850,8 @@
+ bool invertible;
+ mat = mat.inverted(&invertible); // invert matrix
+
+- if (h == 0 || w == 0 || !invertible)
++ if (h == 0 || w == 0 || !invertible
++ || qAbs(scaledWidth) >= 32768 || qAbs(scaledHeight) >= 32768 ) // error, return null pixmap
+ return QPixmap();
+
+ if (mode == Qt::SmoothTransformation) {