depends: qt: add CVE patches

2025-01-03 09:29:37 +00:00 · 2023-05-24 11:14:02 +02:00 · 2023-05-24 11:14:02 +02:00 · 0060c51517
commit 0060c51517
parent 1269df6a60
4 changed files with 113 additions and 1 deletions
--- a/contrib/depends/packages/qt.mk
+++ b/contrib/depends/packages/qt.mk
@ -29,6 +29,11 @@ $(package)_patches += v4l2.patch
 $(package)_patches += windows_func_fix.patch
 $(package)_patches += WindowsToolchain.cmake
 # Remove >= 6.5.1
 $(package)_patches += CVE-2023-32573-qtsvg-6.5.diff
 $(package)_patches += CVE-2023-32762-qtbase-6.5.diff
 $(package)_patches += CVE-2023-32763-qtbase-6.5.diff
 $(package)_qttools_file_name=qttools-$($(package)_suffix)
 $(package)_qttools_sha256_hash=49c33d96b0a44988be954269b8ce3d1a495b439726e03a6be7c0d50a686369c4
@ -255,7 +260,12 @@ define $(package)_preprocess_cmds
  mv $($(package)_patch_dir)/arm64-apple-toolchain.cmake . && \
  mv $($(package)_patch_dir)/gnueabihfToolchain.cmake . && \
  mv $($(package)_patch_dir)/riscvToolchain.cmake . && \
-  cd qtmultimedia && \
+  cd qtbase && \
  patch -p1 -i $($(package)_patch_dir)/CVE-2023-32762-qtbase-6.5.diff && \
  patch -p1 -i $($(package)_patch_dir)/CVE-2023-32763-qtbase-6.5.diff && \
  cd ../qtsvg && \
  patch -p1 -i $($(package)_patch_dir)/CVE-2023-32573-qtsvg-6.5.diff && \
  cd ../qtmultimedia && \
  patch -p1 -i $($(package)_patch_dir)/qtmultimedia-fixes.patch && \
  patch -p1 -i $($(package)_patch_dir)/v4l2.patch
 endef
--- a/contrib/depends/patches/qt/CVE-2023-32573-qtsvg-6.5.diff
+++ b/contrib/depends/patches/qt/CVE-2023-32573-qtsvg-6.5.diff
@ -0,0 +1,36 @@
 --- a/src/svg/qsvgfont_p.h
 +++ b/src/svg/qsvgfont_p.h
@@ -38,6 +38,7 @@ public:
 class Q_SVG_PRIVATE_EXPORT QSvgFont : public QSvgRefCounted
 {
 public:
 +    static constexpr qreal DEFAULT_UNITS_PER_EM = 1000;
     QSvgFont(qreal horizAdvX);
     void setFamilyName(const QString &name);
@@ -50,9 +51,7 @@ public:
     void draw(QPainter *p, const QPointF &point, const QString &str, qreal pixelSize, Qt::Alignment alignment) const;
 public:
     QString m_familyName;
 -    qreal m_unitsPerEm;
 -    qreal m_ascent;
 -    qreal m_descent;
 +    qreal m_unitsPerEm = DEFAULT_UNITS_PER_EM;
     qreal m_horizAdvX;
     QHash<QChar, QSvgGlyph> m_glyphs;
 };
 --- a/src/svg/qsvghandler.cpp
 +++ b/src/svg/qsvghandler.cpp
@@ -2622,7 +2622,7 @@ static bool parseFontFaceNode(QSvgStyleProperty *parent,
     qreal unitsPerEm = toDouble(unitsPerEmStr);
     if (!unitsPerEm)
 -        unitsPerEm = 1000;
 +        unitsPerEm = QSvgFont::DEFAULT_UNITS_PER_EM;
     if (!name.isEmpty())
         font->setFamilyName(name);
--- a/contrib/depends/patches/qt/CVE-2023-32762-qtbase-6.5.diff
+++ b/contrib/depends/patches/qt/CVE-2023-32762-qtbase-6.5.diff
@ -0,0 +1,13 @@
 --- a/src/network/access/qhsts.cpp
 +++ b/src/network/access/qhsts.cpp
@@ -327,8 +327,8 @@ quoted-pair    = "\" CHAR
 bool QHstsHeaderParser::parse(const QList<QPair<QByteArray, QByteArray>> &headers)
 {
     for (const auto &h : headers) {
 -        // We use '==' since header name was already 'trimmed' for us:
 -        if (h.first == "Strict-Transport-Security") {
 +        // We compare directly because header name was already 'trimmed' for us:
 +        if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) {
             header = h.second;
             // RFC6797, 8.1:
             //
--- a/contrib/depends/patches/qt/CVE-2023-32763-qtbase-6.5.diff
+++ b/contrib/depends/patches/qt/CVE-2023-32763-qtbase-6.5.diff
@ -0,0 +1,53 @@
 --- a/src/gui/painting/qfixed_p.h
 +++ b/src/gui/painting/qfixed_p.h
@@ -18,6 +18,7 @@
 #include <QtGui/private/qtguiglobal_p.h>
 #include "QtCore/qdebug.h"
 #include "QtCore/qpoint.h"
 +#include "QtCore/qnumeric.h"
 #include "QtCore/qsize.h"
 QT_BEGIN_NAMESPACE
@@ -136,6 +137,22 @@ constexpr inline QFixed operator+(uint i, QFixed d) { return d+i; }
 constexpr inline QFixed operator-(uint i, QFixed d) { return -(d-i); }
 // constexpr inline QFixed operator*(qreal d, QFixed d2) { return d2*d; }
 +inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
 +{
 +    int val;
 +    bool result = qAddOverflow(v1.value(), v2.value(), &val);
 +    r->setValue(val);
 +    return result;
 +}
 +
 +inline bool qMulOverflow(QFixed v1, QFixed v2, QFixed *r)
 +{
 +    int val;
 +    bool result = qMulOverflow(v1.value(), v2.value(), &val);
 +    r->setValue(val);
 +    return result;
 +}
 +
 #ifndef QT_NO_DEBUG_STREAM
 inline QDebug &operator<<(QDebug &dbg, QFixed f)
 { return dbg << f.toReal(); }
 --- a/src/gui/text/qtextlayout.cpp
 +++ b/src/gui/text/qtextlayout.cpp
@@ -2164,9 +2164,12 @@ found:
         eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
     } else {
         eng->minWidth = qMax(eng->minWidth, lbh.minw);
 -        eng->layoutData->currentMaxWidth += line.textWidth;
 -        if (!manuallyWrapped)
 -            eng->layoutData->currentMaxWidth += lbh.spaceData.textWidth;
 +        if (qAddOverflow(eng->layoutData->currentMaxWidth, line.textWidth, &eng->layoutData->currentMaxWidth))
 +            eng->layoutData->currentMaxWidth = QFIXED_MAX;
 +        if (!manuallyWrapped) {
 +            if (qAddOverflow(eng->layoutData->currentMaxWidth, lbh.spaceData.textWidth, &eng->layoutData->currentMaxWidth))
 +                eng->layoutData->currentMaxWidth = QFIXED_MAX;
 +        }
         eng->maxWidth = qMax(eng->maxWidth, eng->layoutData->currentMaxWidth);
         if (manuallyWrapped)
             eng->layoutData->currentMaxWidth = 0;