qtbase: Refresh direct import patches with devtool

Run 'devtool modify qtbase ; devtool finish --force-patch-refresh qtbase ...' on the qtbase patches directly imported from Qt website [1] to refresh them and remove all application fuzz. Add the CVE: tags while at it. [1] https://download.qt.io/official_releases/qt/5.15/ Signed-off-by: Marek Vasut <marex@denx.de>
author: Marek Vasut <marex@denx.de> 2023-10-10 16:37:39 +0200
committer: Martin Jansa <martin.jansa@gmail.com> 2023-10-11 14:18:48 +0200
commit: 41a2d0e65575721ef8e44dd0975e5b477688c8aa (patch)
tree: fe07ae7db051fccdebfbb234dcf08fffb0a4e712
parent: 2a64bf65f12c01b1b3d79bf63bea30ff2bacf421 (diff)
6 files changed, 264 insertions, 190 deletions
diff --git a/recipes-qt/qt5/qtbase/CVE-2023-32763-qtbase-5.15.diff b/recipes-qt/qt5/qtbase/CVE-2023-32763-qtbase-5.15.diff
index ebb53e55..52056325 100644
--- a/recipes-qt/qt5/qtbase/CVE-2023-32763-qtbase-5.15.diff
+++ b/recipes-qt/qt5/qtbase/CVE-2023-32763-qtbase-5.15.diff
@@ -1,47 +1,61 @@
---- a/src/gui/painting/qfixed_p.h
-+++ b/src/gui/painting/qfixed_p.h
-@@ -54,6 +54,7 @@
- #include <QtGui/private/qtguiglobal_p.h>
- #include "QtCore/qdebug.h"
- #include "QtCore/qpoint.h"
-+#include <QtCore/private/qnumeric_p.h>
- #include "QtCore/qsize.h"
-
- QT_BEGIN_NAMESPACE
-@@ -182,6 +183,14 @@ Q_DECL_CONSTEXPR inline bool operator<(int i, const QFixed &f) { return i * 64 <
- Q_DECL_CONSTEXPR inline bool operator>(const QFixed &f, int i) { return f.value() > i * 64; }
- Q_DECL_CONSTEXPR inline bool operator>(int i, const QFixed &f) { return i * 64 > f.value(); }
-
-+inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
-+{
-+    int val;
-+    bool result = add_overflow(v1.value(), v2.value(), &val);
-+    r->setValue(val);
-+    return result;
-+}
-+
- #ifndef QT_NO_DEBUG_STREAM
- inline QDebug &operator<<(QDebug &dbg, const QFixed &f)
- { return dbg << f.toReal(); }
-
-
---- a/src/gui/text/qtextlayout.cpp
-+++ b/src/gui/text/qtextlayout.cpp
-@@ -2163,11 +2163,14 @@ found:
-         eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
-     } else {
-         eng->minWidth = qMax(eng->minWidth, lbh.minw);
--        eng->maxWidth += line.textWidth;
-+        if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth))
-+            eng->maxWidth = QFIXED_MAX;
-     }
-
--    if (line.textWidth > 0 && item < eng->layoutData->items.size())
--        eng->maxWidth += lbh.spaceData.textWidth;
-+    if (line.textWidth > 0 && item < eng->layoutData->items.size()) {
-+        if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, &eng->maxWidth))
-+            eng->maxWidth = QFIXED_MAX;
-+    }
-
-     line.textWidth += trailingSpace;
-     if (lbh.spaceData.length) {
-\ No newline at end of file
+From 4964af998a1788eba15e0b4ab3382e1ebb709daf Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@denx.de>
+Date: Tue, 10 Oct 2023 16:06:27 +0200
+Subject: [PATCH] qtbase: Pick CVE-2023-32763 fix
+
+CVE: CVE-2023-32763
+Upstream-Status: Backport [https://download.qt.io/official_releases/qt/5.15/CVE-2023-32763-qtbase-5.15.diff]
+---
+ src/gui/painting/qfixed_p.h  | 9 +++++++++
+ src/gui/text/qtextlayout.cpp | 9 ++++++---
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/src/gui/painting/qfixed_p.h b/src/gui/painting/qfixed_p.h
+index 846592881c..57d750a4b3 100644
+--- a/src/gui/painting/qfixed_p.h
++++ b/src/gui/painting/qfixed_p.h
+@@ -54,6 +54,7 @@
+ #include <QtGui/private/qtguiglobal_p.h>
+ #include "QtCore/qdebug.h"
+ #include "QtCore/qpoint.h"
++#include <QtCore/private/qnumeric_p.h>
+ #include "QtCore/qsize.h"
+ 
+ QT_BEGIN_NAMESPACE
+@@ -182,6 +183,14 @@ Q_DECL_CONSTEXPR inline bool operator<(int i, const QFixed &f) { return i * 64 <
+ Q_DECL_CONSTEXPR inline bool operator>(const QFixed &f, int i) { return f.value() > i * 64; }
+ Q_DECL_CONSTEXPR inline bool operator>(int i, const QFixed &f) { return i * 64 > f.value(); }
+ 
++inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
++{
++    int val;
++    bool result = add_overflow(v1.value(), v2.value(), &val);
++    r->setValue(val);
++    return result;
++}
++
+ #ifndef QT_NO_DEBUG_STREAM
+ inline QDebug &operator<<(QDebug &dbg, const QFixed &f)
+ { return dbg << f.toReal(); }
+diff --git a/src/gui/text/qtextlayout.cpp b/src/gui/text/qtextlayout.cpp
+index 26ac37b016..f6c69ff4a2 100644
+--- a/src/gui/text/qtextlayout.cpp
++++ b/src/gui/text/qtextlayout.cpp
+@@ -2150,11 +2150,14 @@ found:
+         eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
+     } else {
+         eng->minWidth = qMax(eng->minWidth, lbh.minw);
+-        eng->maxWidth += line.textWidth;
++        if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth))
++            eng->maxWidth = QFIXED_MAX;
+     }
+ 
+-    if (line.textWidth > 0 && item < eng->layoutData->items.size())
+-        eng->maxWidth += lbh.spaceData.textWidth;
++    if (line.textWidth > 0 && item < eng->layoutData->items.size()) {
++        if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, &eng->maxWidth))
++            eng->maxWidth = QFIXED_MAX;
++    }
+ 
+     line.textWidth += trailingSpace;
+     if (lbh.spaceData.length) {
diff --git a/recipes-qt/qt5/qtbase/CVE-2023-33285-qtbase-5.15.diff b/recipes-qt/qt5/qtbase/CVE-2023-33285-qtbase-5.15.diff
index 4bed901c..0e545296 100644
--- a/recipes-qt/qt5/qtbase/CVE-2023-33285-qtbase-5.15.diff
+++ b/recipes-qt/qt5/qtbase/CVE-2023-33285-qtbase-5.15.diff
@@ -1,68 +1,81 @@
---- a/src/network/kernel/qdnslookup_unix.cpp
-+++ b/src/network/kernel/qdnslookup_unix.cpp
-@@ -227,7 +227,6 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
-     // responseLength in case of error, we still can extract the
-     // exact error code from the response.
-     HEADER *header = (HEADER*)response;
--    const int answerCount = ntohs(header->ancount);
-     switch (header->rcode) {
-     case NOERROR:
-         break;
-@@ -260,18 +259,31 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
-         return;
-     }
-
--    // Skip the query host, type (2 bytes) and class (2 bytes).
-     char host[PACKETSZ], answer[PACKETSZ];
-     unsigned char *p = response + sizeof(HEADER);
--    int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
--    if (status < 0) {
-+    int status;
-+
-+    if (ntohs(header->qdcount) == 1) {
-+        // Skip the query host, type (2 bytes) and class (2 bytes).
-+        status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
-+        if (status < 0) {
-+            reply->error = QDnsLookup::InvalidReplyError;
-+            reply->errorString = tr("Could not expand domain name");
-+            return;
-+        }
-+        if ((p - response) + status + 4 >= responseLength)
-+            header->qdcount = 0xffff;   // invalid reply below
-+        else
-+            p += status + 4;
-+    }
-+    if (ntohs(header->qdcount) > 1) {
-         reply->error = QDnsLookup::InvalidReplyError;
--        reply->errorString = tr("Could not expand domain name");
-+        reply->errorString = tr("Invalid reply received");
-         return;
-     }
--    p += status + 4;
-
-     // Extract results.
-+    const int answerCount = ntohs(header->ancount);
-     int answerIndex = 0;
-     while ((p < response + responseLength) && (answerIndex < answerCount)) {
-         status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
-@@ -283,6 +295,11 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
-         const QString name = QUrl::fromAce(host);
-
-         p += status;
-+
-+        if ((p - response) + 10 > responseLength) {
-+            // probably just a truncated reply, return what we have
-+            return;
-+        }
-         const quint16 type = (p[0] << 8) | p[1];
-         p += 2; // RR type
-         p += 2; // RR class
-@@ -290,6 +307,8 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
-         p += 4;
-         const quint16 size = (p[0] << 8) | p[1];
-         p += 2;
-+        if ((p - response) + size > responseLength)
-+            return;             // truncated
-
-         if (type == QDnsLookup::A) {
-             if (size != 4) {
+From 70be54588f7227e0100d511530170b5cdb46ee5a Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@denx.de>
+Date: Tue, 10 Oct 2023 16:08:05 +0200
+Subject: [PATCH] qtbase: Pick CVE-2023-33285 fix
+
+CVE: CVE-2023-33285
+Upstream-Status: Backport [https://download.qt.io/official_releases/qt/5.15/CVE-2023-33285-qtbase-5.15.diff]
+---
+ src/network/kernel/qdnslookup_unix.cpp | 31 +++++++++++++++++++++-----
+ 1 file changed, 25 insertions(+), 6 deletions(-)
+
+diff --git a/src/network/kernel/qdnslookup_unix.cpp b/src/network/kernel/qdnslookup_unix.cpp
+index 12b40fc35d..99e999d436 100644
+--- a/src/network/kernel/qdnslookup_unix.cpp
++++ b/src/network/kernel/qdnslookup_unix.cpp
+@@ -227,7 +227,6 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+     // responseLength in case of error, we still can extract the
+     // exact error code from the response.
+     HEADER *header = (HEADER*)response;
+-    const int answerCount = ntohs(header->ancount);
+     switch (header->rcode) {
+     case NOERROR:
+         break;
+@@ -260,18 +259,31 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+         return;
+     }
+ 
+-    // Skip the query host, type (2 bytes) and class (2 bytes).
+     char host[PACKETSZ], answer[PACKETSZ];
+     unsigned char *p = response + sizeof(HEADER);
+-    int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
+-    if (status < 0) {
++    int status;
++
++    if (ntohs(header->qdcount) == 1) {
++        // Skip the query host, type (2 bytes) and class (2 bytes).
++        status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
++        if (status < 0) {
++            reply->error = QDnsLookup::InvalidReplyError;
++            reply->errorString = tr("Could not expand domain name");
++            return;
++        }
++        if ((p - response) + status + 4 >= responseLength)
++            header->qdcount = 0xffff;   // invalid reply below
++        else
++            p += status + 4;
++    }
++    if (ntohs(header->qdcount) > 1) {
+         reply->error = QDnsLookup::InvalidReplyError;
+-        reply->errorString = tr("Could not expand domain name");
++        reply->errorString = tr("Invalid reply received");
+         return;
+     }
+-    p += status + 4;
+ 
+     // Extract results.
++    const int answerCount = ntohs(header->ancount);
+     int answerIndex = 0;
+     while ((p < response + responseLength) && (answerIndex < answerCount)) {
+         status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
+@@ -283,6 +295,11 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+         const QString name = QUrl::fromAce(host);
+ 
+         p += status;
++
++        if ((p - response) + 10 > responseLength) {
++            // probably just a truncated reply, return what we have
++            return;
++        }
+         const quint16 type = (p[0] << 8) | p[1];
+         p += 2; // RR type
+         p += 2; // RR class
+@@ -290,6 +307,8 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+         p += 4;
+         const quint16 size = (p[0] << 8) | p[1];
+         p += 2;
++        if ((p - response) + size > responseLength)
++            return;             // truncated
+ 
+         if (type == QDnsLookup::A) {
+             if (size != 4) {
diff --git a/recipes-qt/qt5/qtbase/CVE-2023-34410-qtbase-5.15.diff b/recipes-qt/qt5/qtbase/CVE-2023-34410-qtbase-5.15.diff
index 726846c5..0f3e288b 100644
--- a/recipes-qt/qt5/qtbase/CVE-2023-34410-qtbase-5.15.diff
+++ b/recipes-qt/qt5/qtbase/CVE-2023-34410-qtbase-5.15.diff
@@ -1,54 +1,68 @@
---- a/src/network/ssl/qsslsocket_schannel.cpp
-+++ b/src/network/ssl/qsslsocket_schannel.cpp
-@@ -1880,6 +1880,28 @@ bool QSslSocketBackendPrivate::verifyCertContext(CERT_CONTEXT *certContext)
-     if (configuration.peerVerifyDepth > 0 && DWORD(configuration.peerVerifyDepth) < verifyDepth)
-         verifyDepth = DWORD(configuration.peerVerifyDepth);
-
-+    const auto &caCertificates = q->sslConfiguration().caCertificates();
-+
-+    if (!rootCertOnDemandLoadingAllowed()
-+            && !(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN)
-+            && (q->peerVerifyMode() == QSslSocket::VerifyPeer
-+                    || (isClient && q->peerVerifyMode() == QSslSocket::AutoVerifyPeer))) {
-+        // When verifying a peer Windows "helpfully" builds a chain that
-+        // may include roots from the system store. But we don't want that if
-+        // the user has set their own CA certificates.
-+        // Since Windows claims this is not a partial chain the root is included
-+        // and we have to check that it is one of our configured CAs.
-+        CERT_CHAIN_ELEMENT *element = chain->rgpElement[chain->cElement - 1];
-+        QSslCertificate certificate = getCertificateFromChainElement(element);
-+        if (!caCertificates.contains(certificate)) {
-+            auto error = QSslError(QSslError::CertificateUntrusted, certificate);
-+            sslErrors += error;
-+            emit q->peerVerifyError(error);
-+            if (q->state() != QAbstractSocket::ConnectedState)
-+                return false;
-+        }
-+    }
-+
-     for (DWORD i = 0; i < verifyDepth; i++) {
-         CERT_CHAIN_ELEMENT *element = chain->rgpElement[i];
-         QSslCertificate certificate = getCertificateFromChainElement(element);
-
-
---- a/src/network/ssl/qsslsocket.cpp
-+++ b/src/network/ssl/qsslsocket.cpp
-@@ -2221,6 +2221,10 @@ QSslSocketPrivate::QSslSocketPrivate()
-     , flushTriggered(false)
- {
-     QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
-+    // If the global configuration doesn't allow root certificates to be loaded
-+    // on demand then we have to disable it for this socket as well.
-+    if (!configuration.allowRootCertOnDemandLoading)
-+        allowRootCertOnDemandLoading = false;
- }
-
- /*!
-@@ -2470,6 +2474,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri
-     ptr->sessionProtocol = global->sessionProtocol;
-     ptr->ciphers = global->ciphers;
-     ptr->caCertificates = global->caCertificates;
-+    ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;
-     ptr->protocol = global->protocol;
-     ptr->peerVerifyMode = global->peerVerifyMode;
-     ptr->peerVerifyDepth = global->peerVerifyDepth;
-\ No newline at end of file
+From ec348cf21e3cecfda0e1d7db6f2ecf423509f55a Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@denx.de>
+Date: Tue, 10 Oct 2023 16:09:29 +0200
+Subject: [PATCH] qtbase: Pick CVE-2023-34410 fix
+
+CVE: CVE-2023-34410
+Upstream-Status: Backport [https://download.qt.io/official_releases/qt/5.15/CVE-2023-34410-qtbase-5.15.diff]
+---
+ src/network/ssl/qsslsocket.cpp          |  5 +++++
+ src/network/ssl/qsslsocket_schannel.cpp | 22 ++++++++++++++++++++++
+ 2 files changed, 27 insertions(+)
+
+diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
+index 5bb6e7ee4a..2a0b3a4f1d 100644
+--- a/src/network/ssl/qsslsocket.cpp
++++ b/src/network/ssl/qsslsocket.cpp
+@@ -2221,6 +2221,10 @@ QSslSocketPrivate::QSslSocketPrivate()
+     , flushTriggered(false)
+ {
+     QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
++    // If the global configuration doesn't allow root certificates to be loaded
++    // on demand then we have to disable it for this socket as well.
++    if (!configuration.allowRootCertOnDemandLoading)
++        allowRootCertOnDemandLoading = false;
+ }
+ 
+ /*!
+@@ -2470,6 +2474,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri
+     ptr->sessionProtocol = global->sessionProtocol;
+     ptr->ciphers = global->ciphers;
+     ptr->caCertificates = global->caCertificates;
++    ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;
+     ptr->protocol = global->protocol;
+     ptr->peerVerifyMode = global->peerVerifyMode;
+     ptr->peerVerifyDepth = global->peerVerifyDepth;
+diff --git a/src/network/ssl/qsslsocket_schannel.cpp b/src/network/ssl/qsslsocket_schannel.cpp
+index c956ce3c2b..d1b23af29b 100644
+--- a/src/network/ssl/qsslsocket_schannel.cpp
++++ b/src/network/ssl/qsslsocket_schannel.cpp
+@@ -1880,6 +1880,28 @@ bool QSslSocketBackendPrivate::verifyCertContext(CERT_CONTEXT *certContext)
+     if (configuration.peerVerifyDepth > 0 && DWORD(configuration.peerVerifyDepth) < verifyDepth)
+         verifyDepth = DWORD(configuration.peerVerifyDepth);
+ 
++    const auto &caCertificates = q->sslConfiguration().caCertificates();
++
++    if (!rootCertOnDemandLoadingAllowed()
++            && !(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN)
++            && (q->peerVerifyMode() == QSslSocket::VerifyPeer
++                    || (isClient && q->peerVerifyMode() == QSslSocket::AutoVerifyPeer))) {
++        // When verifying a peer Windows "helpfully" builds a chain that
++        // may include roots from the system store. But we don't want that if
++        // the user has set their own CA certificates.
++        // Since Windows claims this is not a partial chain the root is included
++        // and we have to check that it is one of our configured CAs.
++        CERT_CHAIN_ELEMENT *element = chain->rgpElement[chain->cElement - 1];
++        QSslCertificate certificate = getCertificateFromChainElement(element);
++        if (!caCertificates.contains(certificate)) {
++            auto error = QSslError(QSslError::CertificateUntrusted, certificate);
++            sslErrors += error;
++            emit q->peerVerifyError(error);
++            if (q->state() != QAbstractSocket::ConnectedState)
++                return false;
++        }
++    }
++
+     for (DWORD i = 0; i < verifyDepth; i++) {
+         CERT_CHAIN_ELEMENT *element = chain->rgpElement[i];
+         QSslCertificate certificate = getCertificateFromChainElement(element);
diff --git a/recipes-qt/qt5/qtbase/CVE-2023-37369-qtbase-5.15.diff b/recipes-qt/qt5/qtbase/CVE-2023-37369-qtbase-5.15.diff
index ad2984fb..4fde5493 100644
--- a/recipes-qt/qt5/qtbase/CVE-2023-37369-qtbase-5.15.diff
+++ b/recipes-qt/qt5/qtbase/CVE-2023-37369-qtbase-5.15.diff
@@ -1,5 +1,18 @@
+From 8b7ecba1bab3a02af1c5d5b2278b88e931e612e6 Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@denx.de>
+Date: Tue, 10 Oct 2023 16:10:40 +0200
+Subject: [PATCH] qtbase: Pick CVE-2023-37369 fix
+
+CVE: CVE-2023-37369
+Upstream-Status: Backport [https://download.qt.io/official_releases/qt/5.15/CVE-2023-37369-qtbase-5.15.diff]
+---
+ src/corelib/serialization/qxmlstream.cpp | 39 +++++++++++++++---------
+ src/corelib/serialization/qxmlstream.g   | 25 +++++++++++++--
+ src/corelib/serialization/qxmlstream_p.h | 25 +++++++++++++--
+ 3 files changed, 69 insertions(+), 20 deletions(-)
+
 diff --git a/src/corelib/serialization/qxmlstream.cpp b/src/corelib/serialization/qxmlstream.cpp
-index 7cd457ba3a..11d162cb79 100644
+index b2f846544d..6c98e7c013 100644
 --- a/src/corelib/serialization/qxmlstream.cpp
 +++ b/src/corelib/serialization/qxmlstream.cpp
 @@ -1302,15 +1302,18 @@ inline int QXmlStreamReaderPrivate::fastScanContentCharList()
@@ -88,7 +101,7 @@ index 7cd457ba3a..11d162cb79 100644
  {
  
 diff --git a/src/corelib/serialization/qxmlstream.g b/src/corelib/serialization/qxmlstream.g
-index 4321fed68a..8c6a1a5887 100644
+index b623de9505..e431028506 100644
 --- a/src/corelib/serialization/qxmlstream.g
 +++ b/src/corelib/serialization/qxmlstream.g
 @@ -516,7 +516,16 @@ public:
@@ -117,7 +130,7 @@ index 4321fed68a..8c6a1a5887 100644
  
      QXmlStreamEntityResolver *entityResolver;
  
-@@ -1811,7 +1821,12 @@ space_opt ::= space;
+@@ -1809,7 +1819,12 @@ space_opt ::= space;
  qname ::= LETTER;
  /.
          case $rule_number: {
@@ -131,7 +144,7 @@ index 4321fed68a..8c6a1a5887 100644
              if (atEnd) {
                  resume($rule_number);
                  return false;
-@@ -1822,7 +1837,11 @@ qname ::= LETTER;
+@@ -1820,7 +1835,11 @@ qname ::= LETTER;
  name ::= LETTER;
  /.
          case $rule_number:
@@ -145,7 +158,7 @@ index 4321fed68a..8c6a1a5887 100644
                  resume($rule_number);
                  return false;
 diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h
-index e5bde7b98e..b01484cac3 100644
+index 103b123b10..80e7f74080 100644
 --- a/src/corelib/serialization/qxmlstream_p.h
 +++ b/src/corelib/serialization/qxmlstream_p.h
 @@ -1005,7 +1005,16 @@ public:
@@ -174,7 +187,7 @@ index e5bde7b98e..b01484cac3 100644
  
      QXmlStreamEntityResolver *entityResolver;
  
-@@ -1939,7 +1949,12 @@ bool QXmlStreamReaderPrivate::parse()
+@@ -1937,7 +1947,12 @@ bool QXmlStreamReaderPrivate::parse()
          break;
  
          case 262: {
@@ -188,7 +201,7 @@ index e5bde7b98e..b01484cac3 100644
              if (atEnd) {
                  resume(262);
                  return false;
-@@ -1947,7 +1962,11 @@ bool QXmlStreamReaderPrivate::parse()
+@@ -1945,7 +1960,11 @@ bool QXmlStreamReaderPrivate::parse()
          } break;
  
          case 263:
diff --git a/recipes-qt/qt5/qtbase/CVE-2023-38197-qtbase-5.15.diff b/recipes-qt/qt5/qtbase/CVE-2023-38197-qtbase-5.15.diff
index e9e622bc..cb631519 100644
--- a/recipes-qt/qt5/qtbase/CVE-2023-38197-qtbase-5.15.diff
+++ b/recipes-qt/qt5/qtbase/CVE-2023-38197-qtbase-5.15.diff
@@ -1,8 +1,20 @@
+From ae3946f38904b626a73a64f2829f60c911e2943b Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@denx.de>
+Date: Tue, 10 Oct 2023 16:11:57 +0200
+Subject: [PATCH] qtbase: Pick CVE-2023-38197 fix
+
+CVE: CVE-2023-38197
+Upstream-Status: Backport [https://download.qt.io/official_releases/qt/5.15/CVE-2023-38197-qtbase-5.15.diff]
+---
+ src/corelib/serialization/qxmlstream.cpp | 144 +++++++++++++++++++++--
+ src/corelib/serialization/qxmlstream_p.h |  11 ++
+ 2 files changed, 147 insertions(+), 8 deletions(-)
+
 diff --git a/src/corelib/serialization/qxmlstream.cpp b/src/corelib/serialization/qxmlstream.cpp
-index bf8a2a9..6ab5d49 100644
+index 6c98e7c013..2553d3e09a 100644
 --- a/src/corelib/serialization/qxmlstream.cpp
 +++ b/src/corelib/serialization/qxmlstream.cpp
-@@ -160,7 +160,7 @@
+@@ -160,7 +160,7 @@ enum { StreamEOF = ~0U };
      addData() or by waiting for it to arrive on the device().
  
      \value UnexpectedElementError The parser encountered an element
@@ -11,7 +23,7 @@ index bf8a2a9..6ab5d49 100644
  
  */
  
-@@ -295,13 +295,34 @@
+@@ -295,13 +295,34 @@ QXmlStreamEntityResolver *QXmlStreamReader::entityResolver() const
  
    QXmlStreamReader is a well-formed XML 1.0 parser that does \e not
    include external parsed entities. As long as no error occurs, the
@@ -53,7 +65,7 @@ index bf8a2a9..6ab5d49 100644
  
    If an error occurs while parsing, atEnd() and hasError() return
    true, and error() returns the error that occurred. The functions
-@@ -620,6 +641,7 @@
+@@ -620,6 +641,7 @@ QXmlStreamReader::TokenType QXmlStreamReader::readNext()
          d->token = -1;
          return readNext();
      }
@@ -61,7 +73,7 @@ index bf8a2a9..6ab5d49 100644
      return d->type;
  }
  
-@@ -740,6 +762,14 @@
+@@ -740,6 +762,14 @@ static const short QXmlStreamReader_tokenTypeString_indices[] = {
  };
  
  
@@ -76,7 +88,7 @@ index bf8a2a9..6ab5d49 100644
  /*!
      \property  QXmlStreamReader::namespaceProcessing
      The namespace-processing flag of the stream reader
-@@ -775,6 +805,16 @@
+@@ -775,6 +805,16 @@ QString QXmlStreamReader::tokenString() const
                           QXmlStreamReader_tokenTypeString_indices[d->type]);
  }
  
@@ -93,7 +105,7 @@ index bf8a2a9..6ab5d49 100644
  #endif // QT_NO_XMLSTREAMREADER
  
  QXmlStreamPrivateTagStack::QXmlStreamPrivateTagStack()
-@@ -866,6 +906,8 @@
+@@ -866,6 +906,8 @@ void QXmlStreamReaderPrivate::init()
  
      type = QXmlStreamReader::NoToken;
      error = QXmlStreamReader::NoError;
@@ -102,7 +114,7 @@ index bf8a2a9..6ab5d49 100644
  }
  
  /*
-@@ -4061,6 +4103,92 @@
+@@ -4061,6 +4103,92 @@ void QXmlStreamWriter::writeCurrentToken(const QXmlStreamReader &reader)
      }
  }
  
@@ -196,10 +208,10 @@ index bf8a2a9..6ab5d49 100644
   \fn bool QXmlStreamAttributes::hasAttribute(const QString &qualifiedName) const
   \since 4.5
 diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h
-index 8f7c9e0..708059b 100644
+index 80e7f74080..6db58386db 100644
 --- a/src/corelib/serialization/qxmlstream_p.h
 +++ b/src/corelib/serialization/qxmlstream_p.h
-@@ -804,6 +804,17 @@
+@@ -804,6 +804,17 @@ public:
  #endif
      bool atEnd;
  
diff --git a/recipes-qt/qt5/qtbase/CVE-2023-43114-5.15.patch b/recipes-qt/qt5/qtbase/CVE-2023-43114-5.15.patch
index da59ce54..4b75db3a 100644
--- a/recipes-qt/qt5/qtbase/CVE-2023-43114-5.15.patch
+++ b/recipes-qt/qt5/qtbase/CVE-2023-43114-5.15.patch
@@ -1,5 +1,16 @@
+From 7ec5e6dff1d6f6b2f3abcb1a2802f174ac189d9e Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@denx.de>
+Date: Tue, 10 Oct 2023 16:13:57 +0200
+Subject: [PATCH] qtbase: Pick CVE-2023-43114 fix
+
+CVE: CVE-2023-43114
+Upstream-Status: Backport [https://download.qt.io/official_releases/qt/5.15/CVE-2023-43114-5.15.patch]
+---
+ .../windows/qwindowsfontdatabase.cpp          | 67 ++++++++++++++-----
+ 1 file changed, 51 insertions(+), 16 deletions(-)
+
 diff --git a/src/platformsupport/fontdatabases/windows/qwindowsfontdatabase.cpp b/src/platformsupport/fontdatabases/windows/qwindowsfontdatabase.cpp
-index ba683cf686..217a968c64 100644
+index 09d2d916fe..0e6fe5eb84 100644
 --- a/src/platformsupport/fontdatabases/windows/qwindowsfontdatabase.cpp
 +++ b/src/platformsupport/fontdatabases/windows/qwindowsfontdatabase.cpp
 @@ -1471,36 +1471,70 @@ QT_WARNING_POP
@@ -115,6 +126,3 @@ index ba683cf686..217a968c64 100644
  
          if (values) {
              QFontValues fontValues;
--- 
-2.27.0.windows.1
-
author	Marek Vasut <marex@denx.de>	2023-10-10 16:37:39 +0200
committer	Martin Jansa <martin.jansa@gmail.com>	2023-10-11 14:18:48 +0200
commit	41a2d0e65575721ef8e44dd0975e5b477688c8aa (patch)
tree	fe07ae7db051fccdebfbb234dcf08fffb0a4e712
parent	2a64bf65f12c01b1b3d79bf63bea30ff2bacf421 (diff)