From 0060c515174fa8de8ad024c8fd1b191ab6906255 Mon Sep 17 00:00:00 2001 From: tobtoht Date: Wed, 24 May 2023 11:14:02 +0200 Subject: [PATCH] depends: qt: add CVE patches --- contrib/depends/packages/qt.mk | 12 ++++- .../patches/qt/CVE-2023-32573-qtsvg-6.5.diff | 36 +++++++++++++ .../patches/qt/CVE-2023-32762-qtbase-6.5.diff | 13 +++++ .../patches/qt/CVE-2023-32763-qtbase-6.5.diff | 53 +++++++++++++++++++ 4 files changed, 113 insertions(+), 1 deletion(-) create mode 100644 contrib/depends/patches/qt/CVE-2023-32573-qtsvg-6.5.diff create mode 100644 contrib/depends/patches/qt/CVE-2023-32762-qtbase-6.5.diff create mode 100644 contrib/depends/patches/qt/CVE-2023-32763-qtbase-6.5.diff diff --git a/contrib/depends/packages/qt.mk b/contrib/depends/packages/qt.mk index d581533..35e4473 100644 --- a/contrib/depends/packages/qt.mk +++ b/contrib/depends/packages/qt.mk @@ -29,6 +29,11 @@ $(package)_patches += v4l2.patch $(package)_patches += windows_func_fix.patch $(package)_patches += WindowsToolchain.cmake +# Remove >= 6.5.1 +$(package)_patches += CVE-2023-32573-qtsvg-6.5.diff +$(package)_patches += CVE-2023-32762-qtbase-6.5.diff +$(package)_patches += CVE-2023-32763-qtbase-6.5.diff + $(package)_qttools_file_name=qttools-$($(package)_suffix) $(package)_qttools_sha256_hash=49c33d96b0a44988be954269b8ce3d1a495b439726e03a6be7c0d50a686369c4 @@ -255,7 +260,12 @@ define $(package)_preprocess_cmds mv $($(package)_patch_dir)/arm64-apple-toolchain.cmake . && \ mv $($(package)_patch_dir)/gnueabihfToolchain.cmake . && \ mv $($(package)_patch_dir)/riscvToolchain.cmake . && \ - cd qtmultimedia && \ + cd qtbase && \ + patch -p1 -i $($(package)_patch_dir)/CVE-2023-32762-qtbase-6.5.diff && \ + patch -p1 -i $($(package)_patch_dir)/CVE-2023-32763-qtbase-6.5.diff && \ + cd ../qtsvg && \ + patch -p1 -i $($(package)_patch_dir)/CVE-2023-32573-qtsvg-6.5.diff && \ + cd ../qtmultimedia && \ patch -p1 -i $($(package)_patch_dir)/qtmultimedia-fixes.patch && \ patch -p1 -i $($(package)_patch_dir)/v4l2.patch endef diff --git a/contrib/depends/patches/qt/CVE-2023-32573-qtsvg-6.5.diff b/contrib/depends/patches/qt/CVE-2023-32573-qtsvg-6.5.diff new file mode 100644 index 0000000..aa86f2a --- /dev/null +++ b/contrib/depends/patches/qt/CVE-2023-32573-qtsvg-6.5.diff @@ -0,0 +1,36 @@ +--- a/src/svg/qsvgfont_p.h ++++ b/src/svg/qsvgfont_p.h +@@ -38,6 +38,7 @@ public: + class Q_SVG_PRIVATE_EXPORT QSvgFont : public QSvgRefCounted + { + public: ++ static constexpr qreal DEFAULT_UNITS_PER_EM = 1000; + QSvgFont(qreal horizAdvX); + + void setFamilyName(const QString &name); +@@ -50,9 +51,7 @@ public: + void draw(QPainter *p, const QPointF &point, const QString &str, qreal pixelSize, Qt::Alignment alignment) const; + public: + QString m_familyName; +- qreal m_unitsPerEm; +- qreal m_ascent; +- qreal m_descent; ++ qreal m_unitsPerEm = DEFAULT_UNITS_PER_EM; + qreal m_horizAdvX; + QHash m_glyphs; + }; + + +--- a/src/svg/qsvghandler.cpp ++++ b/src/svg/qsvghandler.cpp +@@ -2622,7 +2622,7 @@ static bool parseFontFaceNode(QSvgStyleProperty *parent, + + qreal unitsPerEm = toDouble(unitsPerEmStr); + if (!unitsPerEm) +- unitsPerEm = 1000; ++ unitsPerEm = QSvgFont::DEFAULT_UNITS_PER_EM; + + if (!name.isEmpty()) + font->setFamilyName(name); + + diff --git a/contrib/depends/patches/qt/CVE-2023-32762-qtbase-6.5.diff b/contrib/depends/patches/qt/CVE-2023-32762-qtbase-6.5.diff new file mode 100644 index 0000000..616b096 --- /dev/null +++ b/contrib/depends/patches/qt/CVE-2023-32762-qtbase-6.5.diff @@ -0,0 +1,13 @@ +--- a/src/network/access/qhsts.cpp ++++ b/src/network/access/qhsts.cpp +@@ -327,8 +327,8 @@ quoted-pair = "\" CHAR + bool QHstsHeaderParser::parse(const QList> &headers) + { + for (const auto &h : headers) { +- // We use '==' since header name was already 'trimmed' for us: +- if (h.first == "Strict-Transport-Security") { ++ // We compare directly because header name was already 'trimmed' for us: ++ if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) { + header = h.second; + // RFC6797, 8.1: + // diff --git a/contrib/depends/patches/qt/CVE-2023-32763-qtbase-6.5.diff b/contrib/depends/patches/qt/CVE-2023-32763-qtbase-6.5.diff new file mode 100644 index 0000000..bdb18de --- /dev/null +++ b/contrib/depends/patches/qt/CVE-2023-32763-qtbase-6.5.diff @@ -0,0 +1,53 @@ +--- a/src/gui/painting/qfixed_p.h ++++ b/src/gui/painting/qfixed_p.h +@@ -18,6 +18,7 @@ + #include + #include "QtCore/qdebug.h" + #include "QtCore/qpoint.h" ++#include "QtCore/qnumeric.h" + #include "QtCore/qsize.h" + + QT_BEGIN_NAMESPACE +@@ -136,6 +137,22 @@ constexpr inline QFixed operator+(uint i, QFixed d) { return d+i; } + constexpr inline QFixed operator-(uint i, QFixed d) { return -(d-i); } + // constexpr inline QFixed operator*(qreal d, QFixed d2) { return d2*d; } + ++inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r) ++{ ++ int val; ++ bool result = qAddOverflow(v1.value(), v2.value(), &val); ++ r->setValue(val); ++ return result; ++} ++ ++inline bool qMulOverflow(QFixed v1, QFixed v2, QFixed *r) ++{ ++ int val; ++ bool result = qMulOverflow(v1.value(), v2.value(), &val); ++ r->setValue(val); ++ return result; ++} ++ + #ifndef QT_NO_DEBUG_STREAM + inline QDebug &operator<<(QDebug &dbg, QFixed f) + { return dbg << f.toReal(); } + + +--- a/src/gui/text/qtextlayout.cpp ++++ b/src/gui/text/qtextlayout.cpp +@@ -2164,9 +2164,12 @@ found: + eng->maxWidth = qMax(eng->maxWidth, line.textWidth); + } else { + eng->minWidth = qMax(eng->minWidth, lbh.minw); +- eng->layoutData->currentMaxWidth += line.textWidth; +- if (!manuallyWrapped) +- eng->layoutData->currentMaxWidth += lbh.spaceData.textWidth; ++ if (qAddOverflow(eng->layoutData->currentMaxWidth, line.textWidth, &eng->layoutData->currentMaxWidth)) ++ eng->layoutData->currentMaxWidth = QFIXED_MAX; ++ if (!manuallyWrapped) { ++ if (qAddOverflow(eng->layoutData->currentMaxWidth, lbh.spaceData.textWidth, &eng->layoutData->currentMaxWidth)) ++ eng->layoutData->currentMaxWidth = QFIXED_MAX; ++ } + eng->maxWidth = qMax(eng->maxWidth, eng->layoutData->currentMaxWidth); + if (manuallyWrapped) + eng->layoutData->currentMaxWidth = 0; \ No newline at end of file