Compare commits
No commits in common. "c8" and "c8s" have entirely different histories.
|
|
@ -0,0 +1,2 @@
|
|||
981f5fbeb315c2e4adc122cee944368598466b67 SOURCES/kde-5.15-rollup-20220324.patch.gz
|
||||
d7383126e1f412ef26096692b9e50a1887eb11f7 SOURCES/qtbase-everywhere-opensource-src-5.15.3.tar.xz
|
||||
|
|
@ -1,38 +0,0 @@
|
|||
From ea63c28efc1d2ecb467b83a34923d12462efa96f Mon Sep 17 00:00:00 2001
|
||||
From: Marc Mutz <marc.mutz@qt.io>
|
||||
Date: Tue, 12 Dec 2023 20:51:56 +0100
|
||||
Subject: [PATCH] HPack: fix a Yoda Condition
|
||||
|
||||
Putting the variable on the LHS of a relational operation makes the
|
||||
expression easier to read. In this case, we find that the whole
|
||||
expression is nonsensical as an overflow protection, because if
|
||||
name.size() + value.size() overflows, the result will exactly _not_
|
||||
be > max() - 32, because UB will have happened.
|
||||
|
||||
To be fixed in a follow-up commit.
|
||||
|
||||
As a drive-by, add parentheses around the RHS.
|
||||
|
||||
Change-Id: I35ce598884c37c51b74756b3bd2734b9aad63c09
|
||||
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
||||
(cherry picked from commit 658607a34ead214fbacbc2cca44915655c318ea9)
|
||||
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
|
||||
(cherry picked from commit 4f7efd41740107f90960116700e3134f5e433867)
|
||||
(cherry picked from commit 13c16b756900fe524f6d9534e8a07aa003c05e0c)
|
||||
(cherry picked from commit 1d4788a39668fb2dc5912a8d9c4272dc40e99f92)
|
||||
(cherry picked from commit 87de75b5cc946d196decaa6aef4792a6cac0b6db)
|
||||
---
|
||||
|
||||
diff --git a/src/network/access/http2/hpacktable.cpp b/src/network/access/http2/hpacktable.cpp
|
||||
index 834214f..ab166a6 100644
|
||||
--- a/src/network/access/http2/hpacktable.cpp
|
||||
+++ b/src/network/access/http2/hpacktable.cpp
|
||||
@@ -63,7 +63,7 @@
|
||||
// 32 octets of overhead."
|
||||
|
||||
const unsigned sum = unsigned(name.size() + value.size());
|
||||
- if (std::numeric_limits<unsigned>::max() - 32 < sum)
|
||||
+ if (sum > (std::numeric_limits<unsigned>::max() - 32))
|
||||
return HeaderSize();
|
||||
return HeaderSize(true, quint32(sum + 32));
|
||||
}
|
||||
|
|
@ -1,59 +0,0 @@
|
|||
From 23c3fc483e8b6e21012a61f0bea884446f727776 Mon Sep 17 00:00:00 2001
|
||||
From: Marc Mutz <marc.mutz@qt.io>
|
||||
Date: Tue, 12 Dec 2023 22:08:07 +0100
|
||||
Subject: [PATCH] HPack: fix incorrect integer overflow check
|
||||
|
||||
This code never worked:
|
||||
|
||||
For the comparison with max() - 32 to trigger, on 32-bit platforms (or
|
||||
Qt 5) signed interger overflow would have had to happen in the
|
||||
addition of the two sizes. The compiler can therefore remove the
|
||||
overflow check as dead code.
|
||||
|
||||
On Qt 6 and 64-bit platforms, the signed integer addition would be
|
||||
very unlikely to overflow, but the following truncation to uint32
|
||||
would yield the correct result only in a narrow 32-value window just
|
||||
below UINT_MAX, if even that.
|
||||
|
||||
Fix by using the proper tool, qAddOverflow.
|
||||
|
||||
Manual conflict resolutions:
|
||||
- qAddOverflow doesn't exist in Qt 5, use private add_overflow
|
||||
predecessor API instead
|
||||
|
||||
Change-Id: I7599f2e75ff7f488077b0c60b81022591005661c
|
||||
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
||||
(cherry picked from commit ee5da1f2eaf8932aeca02ffea6e4c618585e29e3)
|
||||
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
|
||||
(cherry picked from commit debeb8878da2dc706ead04b6072ecbe7e5313860)
|
||||
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
|
||||
Reviewed-by: Marc Mutz <marc.mutz@qt.io>
|
||||
(cherry picked from commit 811b9eef6d08d929af8708adbf2a5effb0eb62d7)
|
||||
(cherry picked from commit f931facd077ce945f1e42eaa3bead208822d3e00)
|
||||
(cherry picked from commit 9ef4ca5ecfed771dab890856130e93ef5ceabef5)
|
||||
Reviewed-by: MÃ¥rten Nordheim <marten.nordheim@qt.io>
|
||||
---
|
||||
|
||||
diff --git a/src/network/access/http2/hpacktable.cpp b/src/network/access/http2/hpacktable.cpp
|
||||
index ab166a6..de91fc0 100644
|
||||
--- a/src/network/access/http2/hpacktable.cpp
|
||||
+++ b/src/network/access/http2/hpacktable.cpp
|
||||
@@ -40,6 +40,7 @@
|
||||
#include "hpacktable_p.h"
|
||||
|
||||
#include <QtCore/qdebug.h>
|
||||
+#include <QtCore/private/qnumeric_p.h>
|
||||
|
||||
#include <algorithm>
|
||||
#include <cstddef>
|
||||
@@ -62,7 +63,9 @@
|
||||
// for counting the number of references to the name and value would have
|
||||
// 32 octets of overhead."
|
||||
|
||||
- const unsigned sum = unsigned(name.size() + value.size());
|
||||
+ size_t sum;
|
||||
+ if (add_overflow(size_t(name.size()), size_t(value.size()), &sum))
|
||||
+ return HeaderSize();
|
||||
if (sum > (std::numeric_limits<unsigned>::max() - 32))
|
||||
return HeaderSize();
|
||||
return HeaderSize(true, quint32(sum + 32));
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
--- a/src/network/access/qhsts.cpp
|
||||
+++ b/src/network/access/qhsts.cpp
|
||||
@@ -364,8 +364,8 @@ quoted-pair = "\" CHAR
|
||||
bool QHstsHeaderParser::parse(const QList<QPair<QByteArray, QByteArray>> &headers)
|
||||
{
|
||||
for (const auto &h : headers) {
|
||||
- // We use '==' since header name was already 'trimmed' for us:
|
||||
- if (h.first == "Strict-Transport-Security") {
|
||||
+ // We compare directly because header name was already 'trimmed' for us:
|
||||
+ if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) {
|
||||
header = h.second;
|
||||
// RFC6797, 8.1:
|
||||
//
|
||||
|
|
@ -1,49 +0,0 @@
|
|||
diff --git a/src/gui/painting/qfixed_p.h b/src/gui/painting/qfixed_p.h
|
||||
index 84659288..57d750a4 100644
|
||||
--- a/src/gui/painting/qfixed_p.h
|
||||
+++ b/src/gui/painting/qfixed_p.h
|
||||
@@ -54,6 +54,7 @@
|
||||
#include <QtGui/private/qtguiglobal_p.h>
|
||||
#include "QtCore/qdebug.h"
|
||||
#include "QtCore/qpoint.h"
|
||||
+#include <QtCore/private/qnumeric_p.h>
|
||||
#include "QtCore/qsize.h"
|
||||
|
||||
QT_BEGIN_NAMESPACE
|
||||
@@ -182,6 +183,14 @@ Q_DECL_CONSTEXPR inline bool operator<(int i, const QFixed &f) { return i * 64 <
|
||||
Q_DECL_CONSTEXPR inline bool operator>(const QFixed &f, int i) { return f.value() > i * 64; }
|
||||
Q_DECL_CONSTEXPR inline bool operator>(int i, const QFixed &f) { return i * 64 > f.value(); }
|
||||
|
||||
+inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
|
||||
+{
|
||||
+ int val;
|
||||
+ bool result = add_overflow(v1.value(), v2.value(), &val);
|
||||
+ r->setValue(val);
|
||||
+ return result;
|
||||
+}
|
||||
+
|
||||
#ifndef QT_NO_DEBUG_STREAM
|
||||
inline QDebug &operator<<(QDebug &dbg, const QFixed &f)
|
||||
{ return dbg << f.toReal(); }
|
||||
diff --git a/src/gui/text/qtextlayout.cpp b/src/gui/text/qtextlayout.cpp
|
||||
index 26ac37b0..f6c69ff4 100644
|
||||
--- a/src/gui/text/qtextlayout.cpp
|
||||
+++ b/src/gui/text/qtextlayout.cpp
|
||||
@@ -2150,11 +2150,14 @@ found:
|
||||
eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
|
||||
} else {
|
||||
eng->minWidth = qMax(eng->minWidth, lbh.minw);
|
||||
- eng->maxWidth += line.textWidth;
|
||||
+ if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth))
|
||||
+ eng->maxWidth = QFIXED_MAX;
|
||||
}
|
||||
|
||||
- if (line.textWidth > 0 && item < eng->layoutData->items.size())
|
||||
- eng->maxWidth += lbh.spaceData.textWidth;
|
||||
+ if (line.textWidth > 0 && item < eng->layoutData->items.size()) {
|
||||
+ if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, &eng->maxWidth))
|
||||
+ eng->maxWidth = QFIXED_MAX;
|
||||
+ }
|
||||
|
||||
line.textWidth += trailingSpace;
|
||||
if (lbh.spaceData.length) {
|
||||
|
|
@ -1,97 +0,0 @@
|
|||
From 2103f2487f709dd9546c503820d9ad509e9a63b3 Mon Sep 17 00:00:00 2001
|
||||
From: Thiago Macieira <thiago.macieira@intel.com>
|
||||
Date: Thu, 11 May 2023 21:40:15 -0700
|
||||
Subject: QDnsLookup/Unix: make sure we don't overflow the buffer
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The DNS Records are variable length and encode their size in 16 bits
|
||||
before the Record Data (RDATA). Ensure that both the RDATA and the
|
||||
Record header fields before it fall inside the buffer we have.
|
||||
|
||||
Additionally reject any replies containing more than one query records.
|
||||
|
||||
[ChangeLog][QtNetwork][QDnsLookup] Fixed a bug that could cause a buffer
|
||||
overflow in Unix systems while parsing corrupt, malicious, or truncated
|
||||
replies.
|
||||
|
||||
Pick-to: 5.15 6.2 6.5 6.5.1
|
||||
Change-Id: I3e3bfef633af4130a03afffd175e4b9547654b95
|
||||
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
|
||||
Reviewed-by: Jani Heikkinen <jani.heikkinen@qt.io>
|
||||
(cherry picked from commit 7dba2c87619d558a61a30eb30cc1d9c3fe6df94c)
|
||||
|
||||
* asturmlechner 2023-05-18: Resolve conflict with dev branch commit
|
||||
68b625901f9eb7c34e3d7aa302e1c0a454d3190b
|
||||
|
||||
diff --git a/src/network/kernel/qdnslookup_unix.cpp b/src/network/kernel/qdnslookup_unix.cpp
|
||||
index 12b40fc35d..99e999d436 100644
|
||||
--- a/src/network/kernel/qdnslookup_unix.cpp
|
||||
+++ b/src/network/kernel/qdnslookup_unix.cpp
|
||||
@@ -227,7 +227,6 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
|
||||
// responseLength in case of error, we still can extract the
|
||||
// exact error code from the response.
|
||||
HEADER *header = (HEADER*)response;
|
||||
- const int answerCount = ntohs(header->ancount);
|
||||
switch (header->rcode) {
|
||||
case NOERROR:
|
||||
break;
|
||||
@@ -260,18 +259,31 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
|
||||
return;
|
||||
}
|
||||
|
||||
- // Skip the query host, type (2 bytes) and class (2 bytes).
|
||||
char host[PACKETSZ], answer[PACKETSZ];
|
||||
unsigned char *p = response + sizeof(HEADER);
|
||||
- int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
|
||||
- if (status < 0) {
|
||||
+ int status;
|
||||
+
|
||||
+ if (ntohs(header->qdcount) == 1) {
|
||||
+ // Skip the query host, type (2 bytes) and class (2 bytes).
|
||||
+ status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
|
||||
+ if (status < 0) {
|
||||
+ reply->error = QDnsLookup::InvalidReplyError;
|
||||
+ reply->errorString = tr("Could not expand domain name");
|
||||
+ return;
|
||||
+ }
|
||||
+ if ((p - response) + status + 4 >= responseLength)
|
||||
+ header->qdcount = 0xffff; // invalid reply below
|
||||
+ else
|
||||
+ p += status + 4;
|
||||
+ }
|
||||
+ if (ntohs(header->qdcount) > 1) {
|
||||
reply->error = QDnsLookup::InvalidReplyError;
|
||||
- reply->errorString = tr("Could not expand domain name");
|
||||
+ reply->errorString = tr("Invalid reply received");
|
||||
return;
|
||||
}
|
||||
- p += status + 4;
|
||||
|
||||
// Extract results.
|
||||
+ const int answerCount = ntohs(header->ancount);
|
||||
int answerIndex = 0;
|
||||
while ((p < response + responseLength) && (answerIndex < answerCount)) {
|
||||
status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
|
||||
@@ -283,6 +295,11 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
|
||||
const QString name = QUrl::fromAce(host);
|
||||
|
||||
p += status;
|
||||
+
|
||||
+ if ((p - response) + 10 > responseLength) {
|
||||
+ // probably just a truncated reply, return what we have
|
||||
+ return;
|
||||
+ }
|
||||
const quint16 type = (p[0] << 8) | p[1];
|
||||
p += 2; // RR type
|
||||
p += 2; // RR class
|
||||
@@ -290,6 +307,8 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
|
||||
p += 4;
|
||||
const quint16 size = (p[0] << 8) | p[1];
|
||||
p += 2;
|
||||
+ if ((p - response) + size > responseLength)
|
||||
+ return; // truncated
|
||||
|
||||
if (type == QDnsLookup::A) {
|
||||
if (size != 4) {
|
||||
|
|
@ -1,54 +0,0 @@
|
|||
--- a/src/network/ssl/qsslsocket_schannel.cpp
|
||||
+++ b/src/network/ssl/qsslsocket_schannel.cpp
|
||||
@@ -1880,6 +1880,28 @@ bool QSslSocketBackendPrivate::verifyCertContext(CERT_CONTEXT *certContext)
|
||||
if (configuration.peerVerifyDepth > 0 && DWORD(configuration.peerVerifyDepth) < verifyDepth)
|
||||
verifyDepth = DWORD(configuration.peerVerifyDepth);
|
||||
|
||||
+ const auto &caCertificates = q->sslConfiguration().caCertificates();
|
||||
+
|
||||
+ if (!rootCertOnDemandLoadingAllowed()
|
||||
+ && !(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN)
|
||||
+ && (q->peerVerifyMode() == QSslSocket::VerifyPeer
|
||||
+ || (isClient && q->peerVerifyMode() == QSslSocket::AutoVerifyPeer))) {
|
||||
+ // When verifying a peer Windows "helpfully" builds a chain that
|
||||
+ // may include roots from the system store. But we don't want that if
|
||||
+ // the user has set their own CA certificates.
|
||||
+ // Since Windows claims this is not a partial chain the root is included
|
||||
+ // and we have to check that it is one of our configured CAs.
|
||||
+ CERT_CHAIN_ELEMENT *element = chain->rgpElement[chain->cElement - 1];
|
||||
+ QSslCertificate certificate = getCertificateFromChainElement(element);
|
||||
+ if (!caCertificates.contains(certificate)) {
|
||||
+ auto error = QSslError(QSslError::CertificateUntrusted, certificate);
|
||||
+ sslErrors += error;
|
||||
+ emit q->peerVerifyError(error);
|
||||
+ if (q->state() != QAbstractSocket::ConnectedState)
|
||||
+ return false;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
for (DWORD i = 0; i < verifyDepth; i++) {
|
||||
CERT_CHAIN_ELEMENT *element = chain->rgpElement[i];
|
||||
QSslCertificate certificate = getCertificateFromChainElement(element);
|
||||
|
||||
|
||||
--- a/src/network/ssl/qsslsocket.cpp
|
||||
+++ b/src/network/ssl/qsslsocket.cpp
|
||||
@@ -2221,6 +2221,10 @@ QSslSocketPrivate::QSslSocketPrivate()
|
||||
, flushTriggered(false)
|
||||
{
|
||||
QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
|
||||
+ // If the global configuration doesn't allow root certificates to be loaded
|
||||
+ // on demand then we have to disable it for this socket as well.
|
||||
+ if (!configuration.allowRootCertOnDemandLoading)
|
||||
+ allowRootCertOnDemandLoading = false;
|
||||
}
|
||||
|
||||
/*!
|
||||
@@ -2470,6 +2474,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri
|
||||
ptr->sessionProtocol = global->sessionProtocol;
|
||||
ptr->ciphers = global->ciphers;
|
||||
ptr->caCertificates = global->caCertificates;
|
||||
+ ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;
|
||||
ptr->protocol = global->protocol;
|
||||
ptr->peerVerifyMode = global->peerVerifyMode;
|
||||
ptr->peerVerifyDepth = global->peerVerifyDepth;
|
||||
|
|
@ -1,202 +0,0 @@
|
|||
diff --git a/src/corelib/serialization/qxmlstream.cpp b/src/corelib/serialization/qxmlstream.cpp
|
||||
index 4f282f19..6c98e7c0 100644
|
||||
--- a/src/corelib/serialization/qxmlstream.cpp
|
||||
+++ b/src/corelib/serialization/qxmlstream.cpp
|
||||
@@ -1302,11 +1302,19 @@ inline int QXmlStreamReaderPrivate::fastScanContentCharList()
|
||||
return n;
|
||||
}
|
||||
|
||||
-inline int QXmlStreamReaderPrivate::fastScanName(int *prefix)
|
||||
+// Fast scan an XML attribute name (e.g. "xml:lang").
|
||||
+inline QXmlStreamReaderPrivate::FastScanNameResult
|
||||
+QXmlStreamReaderPrivate::fastScanName(Value *val)
|
||||
{
|
||||
int n = 0;
|
||||
uint c;
|
||||
while ((c = getChar()) != StreamEOF) {
|
||||
+ if (n >= 4096) {
|
||||
+ // This is too long to be a sensible name, and
|
||||
+ // can exhaust memory, or the range of decltype(*prefix)
|
||||
+ raiseNamePrefixTooLongError();
|
||||
+ return {};
|
||||
+ }
|
||||
switch (c) {
|
||||
case '\n':
|
||||
case ' ':
|
||||
@@ -1334,23 +1342,23 @@ inline int QXmlStreamReaderPrivate::fastScanName(int *prefix)
|
||||
case '+':
|
||||
case '*':
|
||||
putChar(c);
|
||||
- if (prefix && *prefix == n+1) {
|
||||
- *prefix = 0;
|
||||
+ if (val && val->prefix == n + 1) {
|
||||
+ val->prefix = 0;
|
||||
putChar(':');
|
||||
--n;
|
||||
}
|
||||
- return n;
|
||||
+ return FastScanNameResult(n);
|
||||
case ':':
|
||||
- if (prefix) {
|
||||
- if (*prefix == 0) {
|
||||
- *prefix = n+2;
|
||||
+ if (val) {
|
||||
+ if (val->prefix == 0) {
|
||||
+ val->prefix = n + 2;
|
||||
} else { // only one colon allowed according to the namespace spec.
|
||||
putChar(c);
|
||||
- return n;
|
||||
+ return FastScanNameResult(n);
|
||||
}
|
||||
} else {
|
||||
putChar(c);
|
||||
- return n;
|
||||
+ return FastScanNameResult(n);
|
||||
}
|
||||
Q_FALLTHROUGH();
|
||||
default:
|
||||
@@ -1359,12 +1367,12 @@ inline int QXmlStreamReaderPrivate::fastScanName(int *prefix)
|
||||
}
|
||||
}
|
||||
|
||||
- if (prefix)
|
||||
- *prefix = 0;
|
||||
+ if (val)
|
||||
+ val->prefix = 0;
|
||||
int pos = textBuffer.size() - n;
|
||||
putString(textBuffer, pos);
|
||||
textBuffer.resize(pos);
|
||||
- return 0;
|
||||
+ return FastScanNameResult(0);
|
||||
}
|
||||
|
||||
enum NameChar { NameBeginning, NameNotBeginning, NotName };
|
||||
@@ -1873,6 +1881,14 @@ void QXmlStreamReaderPrivate::raiseWellFormedError(const QString &message)
|
||||
raiseError(QXmlStreamReader::NotWellFormedError, message);
|
||||
}
|
||||
|
||||
+void QXmlStreamReaderPrivate::raiseNamePrefixTooLongError()
|
||||
+{
|
||||
+ // TODO: add a ImplementationLimitsExceededError and use it instead
|
||||
+ raiseError(QXmlStreamReader::NotWellFormedError,
|
||||
+ QXmlStream::tr("Length of XML attribute name exceeds implemnetation limits (4KiB "
|
||||
+ "characters)."));
|
||||
+}
|
||||
+
|
||||
void QXmlStreamReaderPrivate::parseError()
|
||||
{
|
||||
|
||||
diff --git a/src/corelib/serialization/qxmlstream.g b/src/corelib/serialization/qxmlstream.g
|
||||
index b623de95..e4310285 100644
|
||||
--- a/src/corelib/serialization/qxmlstream.g
|
||||
+++ b/src/corelib/serialization/qxmlstream.g
|
||||
@@ -516,7 +516,16 @@ public:
|
||||
int fastScanLiteralContent();
|
||||
int fastScanSpace();
|
||||
int fastScanContentCharList();
|
||||
- int fastScanName(int *prefix = nullptr);
|
||||
+
|
||||
+ struct FastScanNameResult {
|
||||
+ FastScanNameResult() : ok(false) {}
|
||||
+ explicit FastScanNameResult(int len) : addToLen(len), ok(true) { }
|
||||
+ operator bool() { return ok; }
|
||||
+ int operator*() { Q_ASSERT(ok); return addToLen; }
|
||||
+ int addToLen;
|
||||
+ bool ok;
|
||||
+ };
|
||||
+ FastScanNameResult fastScanName(Value *val = nullptr);
|
||||
inline int fastScanNMTOKEN();
|
||||
|
||||
|
||||
@@ -525,6 +534,7 @@ public:
|
||||
|
||||
void raiseError(QXmlStreamReader::Error error, const QString& message = QString());
|
||||
void raiseWellFormedError(const QString &message);
|
||||
+ void raiseNamePrefixTooLongError();
|
||||
|
||||
QXmlStreamEntityResolver *entityResolver;
|
||||
|
||||
@@ -1809,7 +1819,12 @@ space_opt ::= space;
|
||||
qname ::= LETTER;
|
||||
/.
|
||||
case $rule_number: {
|
||||
- sym(1).len += fastScanName(&sym(1).prefix);
|
||||
+ Value &val = sym(1);
|
||||
+ if (auto res = fastScanName(&val))
|
||||
+ val.len += *res;
|
||||
+ else
|
||||
+ return false;
|
||||
+
|
||||
if (atEnd) {
|
||||
resume($rule_number);
|
||||
return false;
|
||||
@@ -1820,7 +1835,11 @@ qname ::= LETTER;
|
||||
name ::= LETTER;
|
||||
/.
|
||||
case $rule_number:
|
||||
- sym(1).len += fastScanName();
|
||||
+ if (auto res = fastScanName())
|
||||
+ sym(1).len += *res;
|
||||
+ else
|
||||
+ return false;
|
||||
+
|
||||
if (atEnd) {
|
||||
resume($rule_number);
|
||||
return false;
|
||||
diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h
|
||||
index 103b123b..80e7f740 100644
|
||||
--- a/src/corelib/serialization/qxmlstream_p.h
|
||||
+++ b/src/corelib/serialization/qxmlstream_p.h
|
||||
@@ -1005,7 +1005,16 @@ public:
|
||||
int fastScanLiteralContent();
|
||||
int fastScanSpace();
|
||||
int fastScanContentCharList();
|
||||
- int fastScanName(int *prefix = nullptr);
|
||||
+
|
||||
+ struct FastScanNameResult {
|
||||
+ FastScanNameResult() : ok(false) {}
|
||||
+ explicit FastScanNameResult(int len) : addToLen(len), ok(true) { }
|
||||
+ operator bool() { return ok; }
|
||||
+ int operator*() { Q_ASSERT(ok); return addToLen; }
|
||||
+ int addToLen;
|
||||
+ bool ok;
|
||||
+ };
|
||||
+ FastScanNameResult fastScanName(Value *val = nullptr);
|
||||
inline int fastScanNMTOKEN();
|
||||
|
||||
|
||||
@@ -1014,6 +1023,7 @@ public:
|
||||
|
||||
void raiseError(QXmlStreamReader::Error error, const QString& message = QString());
|
||||
void raiseWellFormedError(const QString &message);
|
||||
+ void raiseNamePrefixTooLongError();
|
||||
|
||||
QXmlStreamEntityResolver *entityResolver;
|
||||
|
||||
@@ -1937,7 +1947,12 @@ bool QXmlStreamReaderPrivate::parse()
|
||||
break;
|
||||
|
||||
case 262: {
|
||||
- sym(1).len += fastScanName(&sym(1).prefix);
|
||||
+ Value &val = sym(1);
|
||||
+ if (auto res = fastScanName(&val))
|
||||
+ val.len += *res;
|
||||
+ else
|
||||
+ return false;
|
||||
+
|
||||
if (atEnd) {
|
||||
resume(262);
|
||||
return false;
|
||||
@@ -1945,7 +1960,11 @@ bool QXmlStreamReaderPrivate::parse()
|
||||
} break;
|
||||
|
||||
case 263:
|
||||
- sym(1).len += fastScanName();
|
||||
+ if (auto res = fastScanName())
|
||||
+ sym(1).len += *res;
|
||||
+ else
|
||||
+ return false;
|
||||
+
|
||||
if (atEnd) {
|
||||
resume(263);
|
||||
return false;
|
||||
|
|
@ -1,219 +0,0 @@
|
|||
diff --git a/src/corelib/serialization/qxmlstream.cpp b/src/corelib/serialization/qxmlstream.cpp
|
||||
index bf8a2a9..6ab5d49 100644
|
||||
--- a/src/corelib/serialization/qxmlstream.cpp
|
||||
+++ b/src/corelib/serialization/qxmlstream.cpp
|
||||
@@ -160,7 +160,7 @@
|
||||
addData() or by waiting for it to arrive on the device().
|
||||
|
||||
\value UnexpectedElementError The parser encountered an element
|
||||
- that was different to those it expected.
|
||||
+ or token that was different to those it expected.
|
||||
|
||||
*/
|
||||
|
||||
@@ -295,13 +295,34 @@
|
||||
|
||||
QXmlStreamReader is a well-formed XML 1.0 parser that does \e not
|
||||
include external parsed entities. As long as no error occurs, the
|
||||
- application code can thus be assured that the data provided by the
|
||||
- stream reader satisfies the W3C's criteria for well-formed XML. For
|
||||
- example, you can be certain that all tags are indeed nested and
|
||||
- closed properly, that references to internal entities have been
|
||||
- replaced with the correct replacement text, and that attributes have
|
||||
- been normalized or added according to the internal subset of the
|
||||
- DTD.
|
||||
+ application code can thus be assured, that
|
||||
+ \list
|
||||
+ \li the data provided by the stream reader satisfies the W3C's
|
||||
+ criteria for well-formed XML,
|
||||
+ \li tokens are provided in a valid order.
|
||||
+ \endlist
|
||||
+
|
||||
+ Unless QXmlStreamReader raises an error, it guarantees the following:
|
||||
+ \list
|
||||
+ \li All tags are nested and closed properly.
|
||||
+ \li References to internal entities have been replaced with the
|
||||
+ correct replacement text.
|
||||
+ \li Attributes have been normalized or added according to the
|
||||
+ internal subset of the \l DTD.
|
||||
+ \li Tokens of type \l StartDocument happen before all others,
|
||||
+ aside from comments and processing instructions.
|
||||
+ \li At most one DOCTYPE element (a token of type \l DTD) is present.
|
||||
+ \li If present, the DOCTYPE appears before all other elements,
|
||||
+ aside from StartDocument, comments and processing instructions.
|
||||
+ \endlist
|
||||
+
|
||||
+ In particular, once any token of type \l StartElement, \l EndElement,
|
||||
+ \l Characters, \l EntityReference or \l EndDocument is seen, no
|
||||
+ tokens of type StartDocument or DTD will be seen. If one is present in
|
||||
+ the input stream, out of order, an error is raised.
|
||||
+
|
||||
+ \note The token types \l Comment and \l ProcessingInstruction may appear
|
||||
+ anywhere in the stream.
|
||||
|
||||
If an error occurs while parsing, atEnd() and hasError() return
|
||||
true, and error() returns the error that occurred. The functions
|
||||
@@ -620,6 +641,7 @@
|
||||
d->token = -1;
|
||||
return readNext();
|
||||
}
|
||||
+ d->checkToken();
|
||||
return d->type;
|
||||
}
|
||||
|
||||
@@ -740,6 +762,14 @@
|
||||
};
|
||||
|
||||
|
||||
+static const char QXmlStreamReader_XmlContextString[] =
|
||||
+ "Prolog\0"
|
||||
+ "Body\0";
|
||||
+
|
||||
+static const short QXmlStreamReader_XmlContextString_indices[] = {
|
||||
+ 0, 7
|
||||
+};
|
||||
+
|
||||
/*!
|
||||
\property QXmlStreamReader::namespaceProcessing
|
||||
The namespace-processing flag of the stream reader
|
||||
@@ -775,6 +805,16 @@
|
||||
QXmlStreamReader_tokenTypeString_indices[d->type]);
|
||||
}
|
||||
|
||||
+/*!
|
||||
+ \internal
|
||||
+ \return \param ctxt (Prolog/Body) as a string.
|
||||
+ */
|
||||
+QString contextString(QXmlStreamReaderPrivate::XmlContext ctxt)
|
||||
+{
|
||||
+ return QLatin1String(QXmlStreamReader_XmlContextString +
|
||||
+ QXmlStreamReader_XmlContextString_indices[static_cast<int>(ctxt)]);
|
||||
+}
|
||||
+
|
||||
#endif // QT_NO_XMLSTREAMREADER
|
||||
|
||||
QXmlStreamPrivateTagStack::QXmlStreamPrivateTagStack()
|
||||
@@ -866,6 +906,8 @@
|
||||
|
||||
type = QXmlStreamReader::NoToken;
|
||||
error = QXmlStreamReader::NoError;
|
||||
+ currentContext = XmlContext::Prolog;
|
||||
+ foundDTD = false;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -4061,6 +4103,92 @@
|
||||
}
|
||||
}
|
||||
|
||||
+static bool isTokenAllowedInContext(QXmlStreamReader::TokenType type,
|
||||
+ QXmlStreamReaderPrivate::XmlContext loc)
|
||||
+{
|
||||
+ switch (type) {
|
||||
+ case QXmlStreamReader::StartDocument:
|
||||
+ case QXmlStreamReader::DTD:
|
||||
+ return loc == QXmlStreamReaderPrivate::XmlContext::Prolog;
|
||||
+
|
||||
+ case QXmlStreamReader::StartElement:
|
||||
+ case QXmlStreamReader::EndElement:
|
||||
+ case QXmlStreamReader::Characters:
|
||||
+ case QXmlStreamReader::EntityReference:
|
||||
+ case QXmlStreamReader::EndDocument:
|
||||
+ return loc == QXmlStreamReaderPrivate::XmlContext::Body;
|
||||
+
|
||||
+ case QXmlStreamReader::Comment:
|
||||
+ case QXmlStreamReader::ProcessingInstruction:
|
||||
+ return true;
|
||||
+
|
||||
+ case QXmlStreamReader::NoToken:
|
||||
+ case QXmlStreamReader::Invalid:
|
||||
+ return false;
|
||||
+ default:
|
||||
+ return false;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/*!
|
||||
+ \internal
|
||||
+ \brief QXmlStreamReader::isValidToken
|
||||
+ \return \c true if \param type is a valid token type.
|
||||
+ \return \c false if \param type is an unexpected token,
|
||||
+ which indicates a non-well-formed or invalid XML stream.
|
||||
+ */
|
||||
+bool QXmlStreamReaderPrivate::isValidToken(QXmlStreamReader::TokenType type)
|
||||
+{
|
||||
+ // Don't change currentContext, if Invalid or NoToken occur in the prolog
|
||||
+ if (type == QXmlStreamReader::Invalid || type == QXmlStreamReader::NoToken)
|
||||
+ return false;
|
||||
+
|
||||
+ // If a token type gets rejected in the body, there is no recovery
|
||||
+ const bool result = isTokenAllowedInContext(type, currentContext);
|
||||
+ if (result || currentContext == XmlContext::Body)
|
||||
+ return result;
|
||||
+
|
||||
+ // First non-Prolog token observed => switch context to body and check again.
|
||||
+ currentContext = XmlContext::Body;
|
||||
+ return isTokenAllowedInContext(type, currentContext);
|
||||
+}
|
||||
+
|
||||
+/*!
|
||||
+ \internal
|
||||
+ Checks token type and raises an error, if it is invalid
|
||||
+ in the current context (prolog/body).
|
||||
+ */
|
||||
+void QXmlStreamReaderPrivate::checkToken()
|
||||
+{
|
||||
+ Q_Q(QXmlStreamReader);
|
||||
+
|
||||
+ // The token type must be consumed, to keep track if the body has been reached.
|
||||
+ const XmlContext context = currentContext;
|
||||
+ const bool ok = isValidToken(type);
|
||||
+
|
||||
+ // Do nothing if an error has been raised already (going along with an unexpected token)
|
||||
+ if (error != QXmlStreamReader::Error::NoError)
|
||||
+ return;
|
||||
+
|
||||
+ if (!ok) {
|
||||
+ raiseError(QXmlStreamReader::UnexpectedElementError,
|
||||
+ QLatin1String("Unexpected token type %1 in %2.")
|
||||
+ .arg(q->tokenString(), contextString(context)));
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ if (type != QXmlStreamReader::DTD)
|
||||
+ return;
|
||||
+
|
||||
+ // Raise error on multiple DTD tokens
|
||||
+ if (foundDTD) {
|
||||
+ raiseError(QXmlStreamReader::UnexpectedElementError,
|
||||
+ QLatin1String("Found second DTD token in %1.").arg(contextString(context)));
|
||||
+ } else {
|
||||
+ foundDTD = true;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
/*!
|
||||
\fn bool QXmlStreamAttributes::hasAttribute(const QString &qualifiedName) const
|
||||
\since 4.5
|
||||
diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h
|
||||
index 8f7c9e0..708059b 100644
|
||||
--- a/src/corelib/serialization/qxmlstream_p.h
|
||||
+++ b/src/corelib/serialization/qxmlstream_p.h
|
||||
@@ -804,6 +804,17 @@
|
||||
#endif
|
||||
bool atEnd;
|
||||
|
||||
+ enum class XmlContext
|
||||
+ {
|
||||
+ Prolog,
|
||||
+ Body,
|
||||
+ };
|
||||
+
|
||||
+ XmlContext currentContext = XmlContext::Prolog;
|
||||
+ bool foundDTD = false;
|
||||
+ bool isValidToken(QXmlStreamReader::TokenType type);
|
||||
+ void checkToken();
|
||||
+
|
||||
/*!
|
||||
\sa setType()
|
||||
*/
|
||||
|
|
@ -1,197 +0,0 @@
|
|||
diff --git a/src/gui/util/qktxhandler.cpp b/src/gui/util/qktxhandler.cpp
|
||||
index 0d98e97453..6a79e55109 100644
|
||||
--- a/src/gui/util/qktxhandler.cpp
|
||||
+++ b/src/gui/util/qktxhandler.cpp
|
||||
@@ -73,7 +73,7 @@ struct KTXHeader {
|
||||
quint32 bytesOfKeyValueData;
|
||||
};
|
||||
|
||||
-static const quint32 headerSize = sizeof(KTXHeader);
|
||||
+static constexpr quint32 qktxh_headerSize = sizeof(KTXHeader);
|
||||
|
||||
// Currently unused, declared for future reference
|
||||
struct KTXKeyValuePairItem {
|
||||
@@ -103,11 +103,36 @@ struct KTXMipmapLevel {
|
||||
*/
|
||||
};
|
||||
|
||||
-bool QKtxHandler::canRead(const QByteArray &suffix, const QByteArray &block)
|
||||
+static bool qAddOverflow(quint32 v1, quint32 v2, quint32 *r) {
|
||||
+ // unsigned additions are well-defined
|
||||
+ *r = v1 + v2;
|
||||
+ return v1 > quint32(v1 + v2);
|
||||
+}
|
||||
+
|
||||
+// Returns the nearest multiple of 4 greater than or equal to 'value'
|
||||
+static bool nearestMultipleOf4(quint32 value, quint32 *result)
|
||||
+{
|
||||
+ constexpr quint32 rounding = 4;
|
||||
+ *result = 0;
|
||||
+ if (qAddOverflow(value, rounding - 1, result))
|
||||
+ return true;
|
||||
+ *result &= ~(rounding - 1);
|
||||
+ return false;
|
||||
+}
|
||||
+
|
||||
+// Returns a slice with prechecked bounds
|
||||
+static QByteArray safeSlice(const QByteArray& array, quint32 start, quint32 length)
|
||||
{
|
||||
- Q_UNUSED(suffix)
|
||||
+ quint32 end = 0;
|
||||
+ if (qAddOverflow(start, length, &end) || end > quint32(array.length()))
|
||||
+ return {};
|
||||
+ return QByteArray(array.data() + start, length);
|
||||
+}
|
||||
|
||||
- return (qstrncmp(block.constData(), ktxIdentifier, KTX_IDENTIFIER_LENGTH) == 0);
|
||||
+bool QKtxHandler::canRead(const QByteArray &suffix, const QByteArray &block)
|
||||
+{
|
||||
+ Q_UNUSED(suffix);
|
||||
+ return block.startsWith(QByteArray::fromRawData(ktxIdentifier, KTX_IDENTIFIER_LENGTH));
|
||||
}
|
||||
|
||||
QTextureFileData QKtxHandler::read()
|
||||
@@ -115,42 +140,97 @@ QTextureFileData QKtxHandler::read()
|
||||
if (!device())
|
||||
return QTextureFileData();
|
||||
|
||||
- QByteArray buf = device()->readAll();
|
||||
- const quint32 dataSize = quint32(buf.size());
|
||||
- if (dataSize < headerSize || !canRead(QByteArray(), buf)) {
|
||||
- qCDebug(lcQtGuiTextureIO, "Invalid KTX file %s", logName().constData());
|
||||
+ const QByteArray buf = device()->readAll();
|
||||
+ if (size_t(buf.size()) > std::numeric_limits<quint32>::max()) {
|
||||
+ qWarning(lcQtGuiTextureIO, "Too big KTX file %s", logName().constData());
|
||||
+ return QTextureFileData();
|
||||
+ }
|
||||
+
|
||||
+ if (!canRead(QByteArray(), buf)) {
|
||||
+ qWarning(lcQtGuiTextureIO, "Invalid KTX file %s", logName().constData());
|
||||
+ return QTextureFileData();
|
||||
+ }
|
||||
+
|
||||
+ if (buf.size() < qsizetype(qktxh_headerSize)) {
|
||||
+ qWarning(lcQtGuiTextureIO, "Invalid KTX header size in %s", logName().constData());
|
||||
return QTextureFileData();
|
||||
}
|
||||
|
||||
- const KTXHeader *header = reinterpret_cast<const KTXHeader *>(buf.constData());
|
||||
- if (!checkHeader(*header)) {
|
||||
- qCDebug(lcQtGuiTextureIO, "Unsupported KTX file format in %s", logName().constData());
|
||||
+ KTXHeader header;
|
||||
+ memcpy(&header, buf.data(), qktxh_headerSize);
|
||||
+ if (!checkHeader(header)) {
|
||||
+ qWarning(lcQtGuiTextureIO, "Unsupported KTX file format in %s", logName().constData());
|
||||
return QTextureFileData();
|
||||
}
|
||||
|
||||
QTextureFileData texData;
|
||||
texData.setData(buf);
|
||||
|
||||
- texData.setSize(QSize(decode(header->pixelWidth), decode(header->pixelHeight)));
|
||||
- texData.setGLFormat(decode(header->glFormat));
|
||||
- texData.setGLInternalFormat(decode(header->glInternalFormat));
|
||||
- texData.setGLBaseInternalFormat(decode(header->glBaseInternalFormat));
|
||||
-
|
||||
- texData.setNumLevels(decode(header->numberOfMipmapLevels));
|
||||
- quint32 offset = headerSize + decode(header->bytesOfKeyValueData);
|
||||
- const int maxLevels = qMin(texData.numLevels(), 32); // Cap iterations in case of corrupt file.
|
||||
- for (int i = 0; i < maxLevels; i++) {
|
||||
- if (offset + sizeof(KTXMipmapLevel) > dataSize) // Corrupt file; avoid oob read
|
||||
- break;
|
||||
- const KTXMipmapLevel *level = reinterpret_cast<const KTXMipmapLevel *>(buf.constData() + offset);
|
||||
- quint32 levelLen = decode(level->imageSize);
|
||||
- texData.setDataOffset(offset + sizeof(KTXMipmapLevel::imageSize), i);
|
||||
- texData.setDataLength(levelLen, i);
|
||||
- offset += sizeof(KTXMipmapLevel::imageSize) + levelLen + (3 - ((levelLen + 3) % 4));
|
||||
+ texData.setSize(QSize(decode(header.pixelWidth), decode(header.pixelHeight)));
|
||||
+ texData.setGLFormat(decode(header.glFormat));
|
||||
+ texData.setGLInternalFormat(decode(header.glInternalFormat));
|
||||
+ texData.setGLBaseInternalFormat(decode(header.glBaseInternalFormat));
|
||||
+
|
||||
+ texData.setNumLevels(decode(header.numberOfMipmapLevels));
|
||||
+
|
||||
+ const quint32 bytesOfKeyValueData = decode(header.bytesOfKeyValueData);
|
||||
+ quint32 headerKeyValueSize;
|
||||
+ if (qAddOverflow(qktxh_headerSize, bytesOfKeyValueData, &headerKeyValueSize)) {
|
||||
+ qWarning(lcQtGuiTextureIO, "Overflow in size of key value data in header of KTX file %s",
|
||||
+ logName().constData());
|
||||
+ return QTextureFileData();
|
||||
+ }
|
||||
+
|
||||
+ if (headerKeyValueSize >= quint32(buf.size())) {
|
||||
+ qWarning(lcQtGuiTextureIO, "OOB request in KTX file %s", logName().constData());
|
||||
+ return QTextureFileData();
|
||||
+ }
|
||||
+
|
||||
+ // Technically, any number of levels is allowed but if the value is bigger than
|
||||
+ // what is possible in KTX V2 (and what makes sense) we return an error.
|
||||
+ // maxLevels = log2(max(width, height, depth))
|
||||
+ const int maxLevels = (sizeof(quint32) * 8)
|
||||
+ - qCountLeadingZeroBits(std::max(
|
||||
+ { header.pixelWidth, header.pixelHeight, header.pixelDepth }));
|
||||
+
|
||||
+ if (texData.numLevels() > maxLevels) {
|
||||
+ qWarning(lcQtGuiTextureIO, "Too many levels in KTX file %s", logName().constData());
|
||||
+ return QTextureFileData();
|
||||
+ }
|
||||
+
|
||||
+ quint32 offset = headerKeyValueSize;
|
||||
+ for (int level = 0; level < texData.numLevels(); level++) {
|
||||
+ const auto imageSizeSlice = safeSlice(buf, offset, sizeof(quint32));
|
||||
+ if (imageSizeSlice.isEmpty()) {
|
||||
+ qWarning(lcQtGuiTextureIO, "OOB request in KTX file %s", logName().constData());
|
||||
+ return QTextureFileData();
|
||||
+ }
|
||||
+
|
||||
+ const quint32 imageSize = decode(qFromUnaligned<quint32>(imageSizeSlice.data()));
|
||||
+ offset += sizeof(quint32); // overflow checked indirectly above
|
||||
+
|
||||
+ texData.setDataOffset(offset, level);
|
||||
+ texData.setDataLength(imageSize, level);
|
||||
+
|
||||
+ // Add image data and padding to offset
|
||||
+ quint32 padded = 0;
|
||||
+ if (nearestMultipleOf4(imageSize, &padded)) {
|
||||
+ qWarning(lcQtGuiTextureIO, "Overflow in KTX file %s", logName().constData());
|
||||
+ return QTextureFileData();
|
||||
+ }
|
||||
+
|
||||
+ quint32 offsetNext;
|
||||
+ if (qAddOverflow(offset, padded, &offsetNext)) {
|
||||
+ qWarning(lcQtGuiTextureIO, "OOB request in KTX file %s", logName().constData());
|
||||
+ return QTextureFileData();
|
||||
+ }
|
||||
+
|
||||
+ offset = offsetNext;
|
||||
}
|
||||
|
||||
if (!texData.isValid()) {
|
||||
- qCDebug(lcQtGuiTextureIO, "Invalid values in header of KTX file %s", logName().constData());
|
||||
+ qWarning(lcQtGuiTextureIO, "Invalid values in header of KTX file %s",
|
||||
+ logName().constData());
|
||||
return QTextureFileData();
|
||||
}
|
||||
|
||||
@@ -191,7 +271,7 @@ bool QKtxHandler::checkHeader(const KTXHeader &header)
|
||||
(decode(header.numberOfFaces) == 1));
|
||||
}
|
||||
|
||||
-quint32 QKtxHandler::decode(quint32 val)
|
||||
+quint32 QKtxHandler::decode(quint32 val) const
|
||||
{
|
||||
return inverseEndian ? qbswap<quint32>(val) : val;
|
||||
}
|
||||
diff --git a/src/gui/util/qktxhandler_p.h b/src/gui/util/qktxhandler_p.h
|
||||
index f831e59d95..cdf1b2eaf8 100644
|
||||
--- a/src/gui/util/qktxhandler_p.h
|
||||
+++ b/src/gui/util/qktxhandler_p.h
|
||||
@@ -68,7 +68,7 @@ public:
|
||||
|
||||
private:
|
||||
bool checkHeader(const KTXHeader &header);
|
||||
- quint32 decode(quint32 val);
|
||||
+ quint32 decode(quint32 val) const;
|
||||
|
||||
bool inverseEndian = false;
|
||||
};
|
||||
|
|
@ -41,7 +41,7 @@ BuildRequires: pkgconfig(libsystemd)
|
|||
Name: qt5-qtbase
|
||||
Summary: Qt5 - QtBase components
|
||||
Version: 5.15.3
|
||||
Release: 7%{?dist}
|
||||
Release: 1%{?dist}
|
||||
|
||||
# See LGPL_EXCEPTIONS.txt, for exception details
|
||||
License: LGPLv2 with exceptions or GPLv3 with exceptions
|
||||
|
|
@ -124,15 +124,6 @@ Patch90: %{name}-gcc11.patch
|
|||
Patch100: kde-5.15-rollup-20220324.patch.gz
|
||||
# HACK to make 'fedpkg sources' consider it 'used"
|
||||
Source100: kde-5.15-rollup-20220324.patch.gz
|
||||
Patch110: CVE-2023-32762-qtbase-5.15.patch
|
||||
Patch111: CVE-2023-32763-qtbase-5.15.patch
|
||||
Patch112: CVE-2023-33285-qtbase-5.15.patch
|
||||
Patch113: CVE-2023-34410-qtbase-5.15.patch
|
||||
Patch114: CVE-2023-37369-qtbase-5.15.patch
|
||||
Patch115: CVE-2023-38197-qtbase-5.15.patch
|
||||
Patch116: 0001-CVE-2023-51714-qtbase-5.15.patch
|
||||
Patch117: 0002-CVE-2023-51714-qtbase-5.15.patch
|
||||
Patch118: CVE-2024-25580-qtbase-5.15.patch
|
||||
|
||||
# Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires.
|
||||
# Those themes are there for platform integration. If the required libraries are
|
||||
|
|
@ -391,16 +382,6 @@ Qt5 libraries used for drawing widgets and OpenGL items.
|
|||
## upstream patches
|
||||
%patch100 -p1
|
||||
|
||||
%patch110 -p1
|
||||
%patch111 -p1
|
||||
%patch112 -p1
|
||||
%patch113 -p1
|
||||
%patch114 -p1
|
||||
%patch115 -p1
|
||||
%patch116 -p1
|
||||
%patch117 -p1
|
||||
%patch118 -p1
|
||||
|
||||
# move some bundled libs to ensure they're not accidentally used
|
||||
pushd src/3rdparty
|
||||
mkdir UNUSED
|
||||
|
|
@ -1074,34 +1055,6 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Fri Feb 16 2024 Jan Grulich <jgrulich@redhat.com> - 5.15.3-7
|
||||
- Fix CVE-2024-25580: potential buffer overflow when reading KTX images
|
||||
Resolves: RHEL-25725
|
||||
|
||||
* Thu Jan 04 2024 Jan Grulich <jgrulich@redhat.com> - 5.15.3-6
|
||||
- Fix incorrect integer overflow check in HTTP2 implementation
|
||||
Resolves: RHEL-20238
|
||||
|
||||
* Fri Jul 21 2023 Jan Grulich <jgrulich@redhat.com> - 5.15.3-5
|
||||
- Fix infinite loops in QXmlStreamReader (CVE-2023-38197)
|
||||
Resolves: bz#2222770
|
||||
|
||||
* Fri Jun 09 2023 Jan Grulich <jgrulich@redhat.com> - 5.15.3-4
|
||||
- Don't allow remote attacker to bypass security restrictions caused by
|
||||
flaw in certificate validation (CVE-2023-34410) (version #2)
|
||||
Resolves: bz#2212753
|
||||
|
||||
* Tue Jun 06 2023 Jan Grulich <jgrulich@redhat.com> - 5.15.3-3
|
||||
- Don't allow remote attacker to bypass security restrictions caused by
|
||||
flaw in certificate validation (CVE-2023-34410)
|
||||
Resolves: bz#2212753
|
||||
|
||||
* Wed May 24 2023 Jan Grulich <jgrulich@redhat.com> - 5.15.3-2
|
||||
- Fix specific overflow in qtextlayout
|
||||
- Fix incorrect parsing of the strict-transport-security (HSTS) header
|
||||
- Fix buffer over-read via a crafted reply from a DNS server
|
||||
Resolves: bz#2209491
|
||||
|
||||
* Thu Mar 24 2022 Jan Grulich <jgrulich@redhat.com> - 5.15.3-1
|
||||
- 5.15.3 + sync with Fedora
|
||||
Resolves: bz#2061377
|
||||
|
|
|
|||
Loading…
Reference in New Issue