From 4302ed02150c6c7c8dc7bd18869070acaded3655 Mon Sep 17 00:00:00 2001
From: Marek Vasut <marex@denx.de>
Date: Tue, 10 Oct 2023 15:59:40 +0200
Subject: qtsvg: Pick CVE-2023-32573 fix

In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and
6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm
initialization is mishandled.

Advisory:
https://nvd.nist.gov/vuln/detail/CVE-2023-32573

Patch:
https://download.qt.io/official_releases/qt/5.15/CVE-2023-32573-qtsvg-5.15.diff

Signed-off-by: Marek Vasut <marex@denx.de>
---
 .../qt5/qtsvg/CVE-2023-32573-qtsvg-5.15.diff       | 34 ++++++++++++++++++++++
 recipes-qt/qt5/qtsvg_git.bb                        |  4 +++
 2 files changed, 38 insertions(+)
 create mode 100644 recipes-qt/qt5/qtsvg/CVE-2023-32573-qtsvg-5.15.diff

(limited to 'recipes-qt/qt5')

diff --git a/recipes-qt/qt5/qtsvg/CVE-2023-32573-qtsvg-5.15.diff b/recipes-qt/qt5/qtsvg/CVE-2023-32573-qtsvg-5.15.diff
new file mode 100644
index 00000000..f2a61e29
--- /dev/null
+++ b/recipes-qt/qt5/qtsvg/CVE-2023-32573-qtsvg-5.15.diff
@@ -0,0 +1,34 @@
+--- a/src/svg/qsvgfont_p.h
++++ b/src/svg/qsvgfont_p.h
+@@ -74,6 +74,7 @@ public:
+ class Q_SVG_PRIVATE_EXPORT QSvgFont : public QSvgRefCounted
+ {
+ public:
++    static constexpr qreal DEFAULT_UNITS_PER_EM = 1000;
+     QSvgFont(qreal horizAdvX);
+
+     void setFamilyName(const QString &name);
+@@ -86,9 +87,7 @@ public:
+     void draw(QPainter *p, const QPointF &point, const QString &str, qreal pixelSize, Qt::Alignment alignment) const;
+ public:
+     QString m_familyName;
+-    qreal m_unitsPerEm;
+-    qreal m_ascent;
+-    qreal m_descent;
++    qreal m_unitsPerEm = DEFAULT_UNITS_PER_EM;
+     qreal m_horizAdvX;
+     QHash<QChar, QSvgGlyph> m_glyphs;
+ };
+
+
+--- a/src/svg/qsvghandler.cpp
++++ b/src/svg/qsvghandler.cpp
+@@ -2668,7 +2668,7 @@ static bool parseFontFaceNode(QSvgStyleProperty *parent,
+
+     qreal unitsPerEm = toDouble(unitsPerEmStr);
+     if (!unitsPerEm)
+-        unitsPerEm = 1000;
++        unitsPerEm = QSvgFont::DEFAULT_UNITS_PER_EM;
+
+     if (!name.isEmpty())
+         font->setFamilyName(name);
\ No newline at end of file
diff --git a/recipes-qt/qt5/qtsvg_git.bb b/recipes-qt/qt5/qtsvg_git.bb
index 4654a8ae..34d34b92 100644
--- a/recipes-qt/qt5/qtsvg_git.bb
+++ b/recipes-qt/qt5/qtsvg_git.bb
@@ -13,3 +13,7 @@ LIC_FILES_CHKSUM = " \
 DEPENDS += "qtbase"
 
 SRCREV = "78ec450b81c403d3b4e6a2c178e300cef3637cca"
+
+SRC_URI += "\
+    file://CVE-2023-32573-qtsvg-5.15.diff \
+"
-- 
cgit v1.2.3