diff options
author | Marek Vasut <marex@denx.de> | 2023-10-10 16:06:27 +0200 |
---|---|---|
committer | Martin Jansa <martin.jansa@gmail.com> | 2023-10-11 14:18:48 +0200 |
commit | 002d27e9bf8727e2680c76624198516f5a774741 (patch) | |
tree | 5a0801e63278f2c14b9f9907e7f3a8f2b53f59f6 | |
parent | 107e5138935d064039faec16054726ca3c2d0c7d (diff) |
qtbase: Pick CVE-2023-32763 fix
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9,
and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an
image inside it is rendered, a QTextLayout buffer overflow can
be triggered.
Advisory:
https://nvd.nist.gov/vuln/detail/CVE-2023-32763
Patch:
https://download.qt.io/official_releases/qt/5.15/CVE-2023-32763-qtbase-5.15.diff
Signed-off-by: Marek Vasut <marex@denx.de>
-rw-r--r-- | recipes-qt/qt5/qtbase/CVE-2023-32763-qtbase-5.15.diff | 47 | ||||
-rw-r--r-- | recipes-qt/qt5/qtbase_git.bb | 1 |
2 files changed, 48 insertions, 0 deletions
diff --git a/recipes-qt/qt5/qtbase/CVE-2023-32763-qtbase-5.15.diff b/recipes-qt/qt5/qtbase/CVE-2023-32763-qtbase-5.15.diff new file mode 100644 index 00000000..ebb53e55 --- /dev/null +++ b/recipes-qt/qt5/qtbase/CVE-2023-32763-qtbase-5.15.diff @@ -0,0 +1,47 @@ +--- a/src/gui/painting/qfixed_p.h
++++ b/src/gui/painting/qfixed_p.h
+@@ -54,6 +54,7 @@
+ #include <QtGui/private/qtguiglobal_p.h>
+ #include "QtCore/qdebug.h"
+ #include "QtCore/qpoint.h"
++#include <QtCore/private/qnumeric_p.h>
+ #include "QtCore/qsize.h"
+
+ QT_BEGIN_NAMESPACE
+@@ -182,6 +183,14 @@ Q_DECL_CONSTEXPR inline bool operator<(int i, const QFixed &f) { return i * 64 <
+ Q_DECL_CONSTEXPR inline bool operator>(const QFixed &f, int i) { return f.value() > i * 64; }
+ Q_DECL_CONSTEXPR inline bool operator>(int i, const QFixed &f) { return i * 64 > f.value(); }
+
++inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
++{
++ int val;
++ bool result = add_overflow(v1.value(), v2.value(), &val);
++ r->setValue(val);
++ return result;
++}
++
+ #ifndef QT_NO_DEBUG_STREAM
+ inline QDebug &operator<<(QDebug &dbg, const QFixed &f)
+ { return dbg << f.toReal(); }
+
+
+--- a/src/gui/text/qtextlayout.cpp
++++ b/src/gui/text/qtextlayout.cpp
+@@ -2163,11 +2163,14 @@ found:
+ eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
+ } else {
+ eng->minWidth = qMax(eng->minWidth, lbh.minw);
+- eng->maxWidth += line.textWidth;
++ if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth))
++ eng->maxWidth = QFIXED_MAX;
+ }
+
+- if (line.textWidth > 0 && item < eng->layoutData->items.size())
+- eng->maxWidth += lbh.spaceData.textWidth;
++ if (line.textWidth > 0 && item < eng->layoutData->items.size()) {
++ if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, &eng->maxWidth))
++ eng->maxWidth = QFIXED_MAX;
++ }
+
+ line.textWidth += trailingSpace;
+ if (lbh.spaceData.length) {
\ No newline at end of file diff --git a/recipes-qt/qt5/qtbase_git.bb b/recipes-qt/qt5/qtbase_git.bb index 05e0a4dd..e80335de 100644 --- a/recipes-qt/qt5/qtbase_git.bb +++ b/recipes-qt/qt5/qtbase_git.bb @@ -40,6 +40,7 @@ SRC_URI += "\ file://0023-Remove-unsetting-_FILE_OFFSET_BITS.patch \ file://0026-qsql_odbc-Patch-for-CVE-2023-24607.patch \ file://CVE-2023-32762.patch \ + file://CVE-2023-32763-qtbase-5.15.diff \ " # Disable LTO for now, QT5 patches are being worked upstream, perhaps revisit with |