bz#1518958, backport to fix out of bounds reads in qdnslookup_unix

qt5-qtbase.spec

@@ -55,7 +55,7 @@ BuildRequires: pkgconfig(libsystemd)
 Name:    qt5-qtbase
 Summary: Qt5 - QtBase components
 Version: 5.9.3
-Release: 1%{?dist}
+Release: 2%{?dist}
 
 # See LGPL_EXCEPTIONS.txt, for exception details
 License: LGPLv2 with exceptions or GPLv3 with exceptions
@@ -116,6 +116,7 @@ Patch66: qtbase-mariadb.patch
 Patch67: https://bugreports.qt.io/secure/attachment/66353/xcberror_filter.patch
 
 ## upstream patches (5.9 branch)
+Patch100: qtbase-opensource-src-5.9.3-QTBUG-64742-out-of-bounds-in-qdnslookup_unix.patch
 
 # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires.
 # Those themes are there for platform integration. If the required libraries are
@@ -362,6 +363,7 @@ Qt5 libraries used for drawing widgets and OpenGL items.
 %endif
 %patch66 -p1 -b .mariadb
 %patch67 -p1 -b .xcberror_filter
+%patch100 -p1 -b .QTBUG-64742-out-of-bounds-in-qdnslookup_unix
 
 %if 0%{?inject_optflags}
 ## adjust $RPM_OPT_FLAGS
@@ -979,6 +981,9 @@ fi
 
 
 %changelog
+* Thu Nov 30 2017 Than Ngo <than@redhat.com> - 5.9.3-2
+- bz#1518958, backport to fix out of bounds reads in qdnslookup_unix
+
 * Wed Nov 22 2017 Jan Grulich <jgrulich@redhat.com> - 5.9.3-1
 - 5.9.3
 

qtbase-opensource-src-5.9.3-QTBUG-64742-out-of-bounds-in-qdnslookup_unix.patch

@@ -0,0 +1,50 @@
+diff -up qtbase-opensource-src-5.9.3/src/network/kernel/qdnslookup_unix.cpp.orig qtbase-opensource-src-5.9.3/src/network/kernel/qdnslookup_unix.cpp
+--- qtbase-opensource-src-5.9.3/src/network/kernel/qdnslookup_unix.cpp.orig	2017-11-16 06:15:28.000000000 +0100
++++ qtbase-opensource-src-5.9.3/src/network/kernel/qdnslookup_unix.cpp	2017-11-30 09:22:47.525741040 +0100
+@@ -42,6 +42,7 @@
+ #if QT_CONFIG(library)
+ #include <qlibrary.h>
+ #endif
++#include <qvarlengtharray.h>
+ #include <qscopedpointer.h>
+ #include <qurl.h>
+ #include <private/qnativesocketengine_p.h>
+@@ -58,6 +59,8 @@
+ #  include <gnu/lib-names.h>
+ #endif
+ 
++#include <cstring>
++
+ QT_BEGIN_NAMESPACE
+ 
+ #if QT_CONFIG(library)
+@@ -189,11 +192,25 @@ void QDnsLookupRunnable::query(const int
+     QScopedPointer<struct __res_state, QDnsLookupStateDeleter> state_ptr(&state);
+ 
+     // Perform DNS query.
+-    unsigned char response[PACKETSZ];
+-    memset(response, 0, sizeof(response));
+-    const int responseLength = local_res_nquery(&state, requestName, C_IN, requestType, response, sizeof(response));
++    QVarLengthArray<unsigned char, PACKETSZ> buffer(PACKETSZ);
++    memset(buffer.data(), 0, buffer.size());
++    int responseLength = local_res_nquery(&state, requestName, C_IN, requestType, buffer.data(), buffer.size());
++    if (Q_UNLIKELY(responseLength > PACKETSZ)) {
++        buffer.resize(responseLength);
++        memset(buffer.data(), 0, buffer.size());
++        responseLength = local_res_nquery(&state, requestName, C_IN, requestType, buffer.data(), buffer.size());
++        if (Q_UNLIKELY(responseLength > buffer.size())) {
++            // Ok, we give up.
++            reply->error = QDnsLookup::ResolverError;
++            reply->errorString.clear(); // We cannot be more specific, alas.
++            return;
++        }
++    }
+ 
+-    // Check the response header.
++    unsigned char *response = buffer.data();
++    // Check the response header. Though res_nquery returns -1 as a
++    // responseLength in case of error, we still can extract the
++    // exact error code from the response.
+     HEADER *header = (HEADER*)response;
+     const int answerCount = ntohs(header->ancount);
+     switch (header->rcode) {