CVE: CVE-2021-3481 Upstream-Status: Backport [https://codereview.qt-project.org/gitweb?p=qt%2Fqtsvg.git;a=commit;h=bfd6ee0] Backport and squash commits 85b70a721695991e8a5bbe4aa52e5320e170e90c and bfd6ee0d8cf34b63d32adf10ed93daa0086b359f to fix CVE-2021-3481. Signed-off-by: Kai Kang From 6c40fd492eafabe67177c0e84839beec5be298b8 Mon Sep 17 00:00:00 2001 From: Eirik Aavitsland Date: Tue, 1 Dec 2020 14:39:59 +0100 Subject: [PATCH] Improve handling of malformed numeric values in svg files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Catch cases where the input is not containable in a qreal, and avoid passing on inf values. Pick-to: 6.0 5.15 5.12 Change-Id: I1ab8932d94473916815385240c29e03afb0e0c9e Reviewed-by: Robert Loehning Reviewed-by: Allan Sandfeld Jensen Clamp parsed doubles to float representable values Parts of our rendering assumes incoming doubles can still be sane floats. Pick-to: 6.1 6.0 5.15 5.12 Fixes: QTBUG-91507 Change-Id: I7086a121e1b5ed47695a1251ea90e774dd8f148d Reviewed-by: Robert Löhning Reviewed-by: Allan Sandfeld Jensen Reviewed-by: Mårten Nordheim --- src/svg/qsvghandler.cpp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp index c937254..9dac05c 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp @@ -65,6 +65,7 @@ #include "private/qmath_p.h" #include "float.h" +#include QT_BEGIN_NAMESPACE @@ -672,6 +673,9 @@ static qreal toDouble(const QChar *&str) val = -val; } else { val = QByteArray::fromRawData(temp, pos).toDouble(); + // Do not tolerate values too wild to be represented normally by floats + if (qFpClassify(float(val)) != FP_NORMAL) + val = 0; } return val; @@ -3043,6 +3047,8 @@ static QSvgStyleProperty *createRadialGradientNode(QSvgNode *node, ncy = toDouble(cy); if (!r.isEmpty()) nr = toDouble(r); + if (nr < 0.5) + nr = 0.5; qreal nfx = ncx; if (!fx.isEmpty()) -- 2.29.2