aboutsummaryrefslogtreecommitdiffstats
path: root/recipes-qt/qt5/qtsvg/CVE-2021-3481.patch
blob: 1b67914c7ff360d8123171eacfdd151a39fe765d (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

CVE: CVE-2021-3481
Upstream-Status: Backport [https://codereview.qt-project.org/gitweb?p=qt%2Fqtsvg.git;a=commit;h=bfd6ee0]

Backport and squash commits 85b70a721695991e8a5bbe4aa52e5320e170e90c and
bfd6ee0d8cf34b63d32adf10ed93daa0086b359f to fix CVE-2021-3481.

Signed-off-by: Kai Kang <kai.kang@windriver.com>

From 6c40fd492eafabe67177c0e84839beec5be298b8 Mon Sep 17 00:00:00 2001
From: Eirik Aavitsland <eirik.aavitsland@qt.io>
Date: Tue, 1 Dec 2020 14:39:59 +0100
Subject: [PATCH] Improve handling of malformed numeric values in svg files
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Catch cases where the input is not containable in a qreal, and avoid
passing on inf values.

Pick-to: 6.0 5.15 5.12
Change-Id: I1ab8932d94473916815385240c29e03afb0e0c9e
Reviewed-by: Robert Loehning <robert.loehning@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

Clamp parsed doubles to float representable values

Parts of our rendering assumes incoming doubles can still be sane
floats.

Pick-to: 6.1 6.0 5.15 5.12
Fixes: QTBUG-91507
Change-Id: I7086a121e1b5ed47695a1251ea90e774dd8f148d
Reviewed-by: Robert Löhning <robert.loehning@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
---
 src/svg/qsvghandler.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
index c937254..9dac05c 100644
--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -65,6 +65,7 @@
 #include "private/qmath_p.h"
 
 #include "float.h"
+#include <cmath>
 
 QT_BEGIN_NAMESPACE
 
@@ -672,6 +673,9 @@ static qreal toDouble(const QChar *&str)
             val = -val;
     } else {
         val = QByteArray::fromRawData(temp, pos).toDouble();
+        // Do not tolerate values too wild to be represented normally by floats
+        if (qFpClassify(float(val)) != FP_NORMAL)
+            val = 0;
     }
     return val;
 
@@ -3043,6 +3047,8 @@ static QSvgStyleProperty *createRadialGradientNode(QSvgNode *node,
         ncy = toDouble(cy);
     if (!r.isEmpty())
         nr = toDouble(r);
+    if (nr < 0.5)
+        nr = 0.5;
 
     qreal nfx = ncx;
     if (!fx.isEmpty())
-- 
2.29.2
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-19 23:49:39 +0000