diff options
author | Marek Vasut <marex@denx.de> | 2023-10-10 16:13:57 +0200 |
---|---|---|
committer | Martin Jansa <martin.jansa@gmail.com> | 2023-10-11 14:18:48 +0200 |
commit | 2a64bf65f12c01b1b3d79bf63bea30ff2bacf421 (patch) | |
tree | 2b9235c8f6f3b0625574a6af4db8cb0c1ef43fda | |
parent | a77ea02371242d391dcccad4d97af3a685dc8a9d (diff) |
qtbase: Pick CVE-2023-43114 fix
An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10,
and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the
GDI font engine, if a corrupted font is loaded via
QFontDatabase::addApplicationFont{FromData], then it can cause
the application to crash because of missing length checks.
Advisory:
https://nvd.nist.gov/vuln/detail/CVE-2023-43114
Patch:
https://download.qt.io/official_releases/qt/5.15/CVE-2023-43114-5.15.patch
Signed-off-by: Marek Vasut <marex@denx.de>
-rw-r--r-- | recipes-qt/qt5/qtbase/CVE-2023-43114-5.15.patch | 120 | ||||
-rw-r--r-- | recipes-qt/qt5/qtbase_git.bb | 1 |
2 files changed, 121 insertions, 0 deletions
diff --git a/recipes-qt/qt5/qtbase/CVE-2023-43114-5.15.patch b/recipes-qt/qt5/qtbase/CVE-2023-43114-5.15.patch new file mode 100644 index 00000000..da59ce54 --- /dev/null +++ b/recipes-qt/qt5/qtbase/CVE-2023-43114-5.15.patch @@ -0,0 +1,120 @@ +diff --git a/src/platformsupport/fontdatabases/windows/qwindowsfontdatabase.cpp b/src/platformsupport/fontdatabases/windows/qwindowsfontdatabase.cpp +index ba683cf686..217a968c64 100644 +--- a/src/platformsupport/fontdatabases/windows/qwindowsfontdatabase.cpp ++++ b/src/platformsupport/fontdatabases/windows/qwindowsfontdatabase.cpp +@@ -1471,36 +1471,70 @@ QT_WARNING_POP + return fontEngine; + } + +-static QList<quint32> getTrueTypeFontOffsets(const uchar *fontData) ++static QList<quint32> getTrueTypeFontOffsets(const uchar *fontData, const uchar *fileEndSentinel) + { + QList<quint32> offsets; +- const quint32 headerTag = *reinterpret_cast<const quint32 *>(fontData); ++ if (fileEndSentinel - fontData < 12) { ++ qCWarning(lcQpaFonts) << "Corrupted font data detected"; ++ return offsets; ++ } ++ ++ const quint32 headerTag = qFromUnaligned<quint32>(fontData); + if (headerTag != MAKE_TAG('t', 't', 'c', 'f')) { + if (headerTag != MAKE_TAG(0, 1, 0, 0) + && headerTag != MAKE_TAG('O', 'T', 'T', 'O') + && headerTag != MAKE_TAG('t', 'r', 'u', 'e') +- && headerTag != MAKE_TAG('t', 'y', 'p', '1')) ++ && headerTag != MAKE_TAG('t', 'y', 'p', '1')) { + return offsets; ++ } + offsets << 0; + return offsets; + } ++ ++ const quint32 maximumNumFonts = 0xffff; + const quint32 numFonts = qFromBigEndian<quint32>(fontData + 8); +- for (uint i = 0; i < numFonts; ++i) { +- offsets << qFromBigEndian<quint32>(fontData + 12 + i * 4); ++ if (numFonts > maximumNumFonts) { ++ qCWarning(lcQpaFonts) << "Font collection of" << numFonts << "fonts is too large. Aborting."; ++ return offsets; + } ++ ++ if (quintptr(fileEndSentinel - fontData) > 12 + (numFonts - 1) * 4) { ++ for (quint32 i = 0; i < numFonts; ++i) ++ offsets << qFromBigEndian<quint32>(fontData + 12 + i * 4); ++ } else { ++ qCWarning(lcQpaFonts) << "Corrupted font data detected"; ++ } ++ + return offsets; + } + +-static void getFontTable(const uchar *fileBegin, const uchar *data, quint32 tag, const uchar **table, quint32 *length) ++static void getFontTable(const uchar *fileBegin, const uchar *fileEndSentinel, const uchar *data, quint32 tag, const uchar **table, quint32 *length) + { +- const quint16 numTables = qFromBigEndian<quint16>(data + 4); +- for (uint i = 0; i < numTables; ++i) { +- const quint32 offset = 12 + 16 * i; +- if (*reinterpret_cast<const quint32 *>(data + offset) == tag) { +- *table = fileBegin + qFromBigEndian<quint32>(data + offset + 8); +- *length = qFromBigEndian<quint32>(data + offset + 12); +- return; ++ if (fileEndSentinel - data >= 6) { ++ const quint16 numTables = qFromBigEndian<quint16>(data + 4); ++ if (fileEndSentinel - data >= 28 + 16 * (numTables - 1)) { ++ for (quint32 i = 0; i < numTables; ++i) { ++ const quint32 offset = 12 + 16 * i; ++ if (qFromUnaligned<quint32>(data + offset) == tag) { ++ const quint32 tableOffset = qFromBigEndian<quint32>(data + offset + 8); ++ if (quintptr(fileEndSentinel - fileBegin) <= tableOffset) { ++ qCWarning(lcQpaFonts) << "Corrupted font data detected"; ++ break; ++ } ++ *table = fileBegin + tableOffset; ++ *length = qFromBigEndian<quint32>(data + offset + 12); ++ if (quintptr(fileEndSentinel - *table) < *length) { ++ qCWarning(lcQpaFonts) << "Corrupted font data detected"; ++ break; ++ } ++ return; ++ } ++ } ++ } else { ++ qCWarning(lcQpaFonts) << "Corrupted font data detected"; + } ++ } else { ++ qCWarning(lcQpaFonts) << "Corrupted font data detected"; + } + *table = 0; + *length = 0; +@@ -1513,8 +1547,9 @@ static void getFamiliesAndSignatures(const QByteArray &fontData, + QVector<QFontValues> *values) + { + const uchar *data = reinterpret_cast<const uchar *>(fontData.constData()); ++ const uchar *dataEndSentinel = data + fontData.size(); + +- QList<quint32> offsets = getTrueTypeFontOffsets(data); ++ QList<quint32> offsets = getTrueTypeFontOffsets(data, dataEndSentinel); + if (offsets.isEmpty()) + return; + +@@ -1522,7 +1557,7 @@ static void getFamiliesAndSignatures(const QByteArray &fontData, + const uchar *font = data + offsets.at(i); + const uchar *table; + quint32 length; +- getFontTable(data, font, MAKE_TAG('n', 'a', 'm', 'e'), &table, &length); ++ getFontTable(data, dataEndSentinel, font, MAKE_TAG('n', 'a', 'm', 'e'), &table, &length); + if (!table) + continue; + QFontNames names = qt_getCanonicalFontNames(table, length); +@@ -1532,7 +1567,7 @@ static void getFamiliesAndSignatures(const QByteArray &fontData, + families->append(std::move(names)); + + if (values || signatures) +- getFontTable(data, font, MAKE_TAG('O', 'S', '/', '2'), &table, &length); ++ getFontTable(data, dataEndSentinel, font, MAKE_TAG('O', 'S', '/', '2'), &table, &length); + + if (values) { + QFontValues fontValues; +-- +2.27.0.windows.1 + diff --git a/recipes-qt/qt5/qtbase_git.bb b/recipes-qt/qt5/qtbase_git.bb index a2785617..7356c40c 100644 --- a/recipes-qt/qt5/qtbase_git.bb +++ b/recipes-qt/qt5/qtbase_git.bb @@ -45,6 +45,7 @@ SRC_URI += "\ file://CVE-2023-34410-qtbase-5.15.diff \ file://CVE-2023-37369-qtbase-5.15.diff \ file://CVE-2023-38197-qtbase-5.15.diff \ + file://CVE-2023-43114-5.15.patch \ " # Disable LTO for now, QT5 patches are being worked upstream, perhaps revisit with |