aboutsummaryrefslogtreecommitdiffstats
path: root/recipes-qt/qt5/qtbase/CVE-2023-32763-qtbase-5.15.diff
diff options
context:
space:
mode:
Diffstat (limited to 'recipes-qt/qt5/qtbase/CVE-2023-32763-qtbase-5.15.diff')
-rw-r--r--recipes-qt/qt5/qtbase/CVE-2023-32763-qtbase-5.15.diff61
1 files changed, 61 insertions, 0 deletions
diff --git a/recipes-qt/qt5/qtbase/CVE-2023-32763-qtbase-5.15.diff b/recipes-qt/qt5/qtbase/CVE-2023-32763-qtbase-5.15.diff
new file mode 100644
index 00000000..52056325
--- /dev/null
+++ b/recipes-qt/qt5/qtbase/CVE-2023-32763-qtbase-5.15.diff
@@ -0,0 +1,61 @@
+From 4964af998a1788eba15e0b4ab3382e1ebb709daf Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@denx.de>
+Date: Tue, 10 Oct 2023 16:06:27 +0200
+Subject: [PATCH] qtbase: Pick CVE-2023-32763 fix
+
+CVE: CVE-2023-32763
+Upstream-Status: Backport [https://download.qt.io/official_releases/qt/5.15/CVE-2023-32763-qtbase-5.15.diff]
+---
+ src/gui/painting/qfixed_p.h | 9 +++++++++
+ src/gui/text/qtextlayout.cpp | 9 ++++++---
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/src/gui/painting/qfixed_p.h b/src/gui/painting/qfixed_p.h
+index 846592881c..57d750a4b3 100644
+--- a/src/gui/painting/qfixed_p.h
++++ b/src/gui/painting/qfixed_p.h
+@@ -54,6 +54,7 @@
+ #include <QtGui/private/qtguiglobal_p.h>
+ #include "QtCore/qdebug.h"
+ #include "QtCore/qpoint.h"
++#include <QtCore/private/qnumeric_p.h>
+ #include "QtCore/qsize.h"
+
+ QT_BEGIN_NAMESPACE
+@@ -182,6 +183,14 @@ Q_DECL_CONSTEXPR inline bool operator<(int i, const QFixed &f) { return i * 64 <
+ Q_DECL_CONSTEXPR inline bool operator>(const QFixed &f, int i) { return f.value() > i * 64; }
+ Q_DECL_CONSTEXPR inline bool operator>(int i, const QFixed &f) { return i * 64 > f.value(); }
+
++inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
++{
++ int val;
++ bool result = add_overflow(v1.value(), v2.value(), &val);
++ r->setValue(val);
++ return result;
++}
++
+ #ifndef QT_NO_DEBUG_STREAM
+ inline QDebug &operator<<(QDebug &dbg, const QFixed &f)
+ { return dbg << f.toReal(); }
+diff --git a/src/gui/text/qtextlayout.cpp b/src/gui/text/qtextlayout.cpp
+index 26ac37b016..f6c69ff4a2 100644
+--- a/src/gui/text/qtextlayout.cpp
++++ b/src/gui/text/qtextlayout.cpp
+@@ -2150,11 +2150,14 @@ found:
+ eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
+ } else {
+ eng->minWidth = qMax(eng->minWidth, lbh.minw);
+- eng->maxWidth += line.textWidth;
++ if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth))
++ eng->maxWidth = QFIXED_MAX;
+ }
+
+- if (line.textWidth > 0 && item < eng->layoutData->items.size())
+- eng->maxWidth += lbh.spaceData.textWidth;
++ if (line.textWidth > 0 && item < eng->layoutData->items.size()) {
++ if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, &eng->maxWidth))
++ eng->maxWidth = QFIXED_MAX;
++ }
+
+ line.textWidth += trailingSpace;
+ if (lbh.spaceData.length) {
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-27 15:05:19 +0000