From 082c25afe8e0979b3c3997aa5a3a63cdd6b7ff6b Mon Sep 17 00:00:00 2001 From: James Antill Date: Tue, 31 May 2022 14:55:59 -0400 Subject: [PATCH] Auto sync2gitlab import of qt5-qtsvg-5.15.3-1.el8.src.rpm --- .gitignore | 1 + qt5-qtsvg.spec | 17 +++-- ...ubles-to-float-representtable-values.patch | 23 +++++++ ...ror-checking-when-parsing-path-nodes.patch | 64 ++++++------------- ...oubles-to-float-representable-values.patch | 39 ----------- sources | 2 +- 6 files changed, 54 insertions(+), 92 deletions(-) create mode 100644 qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch rename qtsvg-do-stricter-error-checking-when-parsing-path-nodes.patch => qtsvg-5.15.2-do-strict-error-checking-when-parsing-path-nodes.patch (73%) delete mode 100644 qtsvg-CVE-2021-3481-clamp-parsed-doubles-to-float-representable-values.patch diff --git a/.gitignore b/.gitignore index b2c6ca4..70cc9a1 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ /qtsvg-everywhere-src-5.15.2.tar.xz +/qtsvg-everywhere-opensource-src-5.15.3.tar.xz diff --git a/qt5-qtsvg.spec b/qt5-qtsvg.spec index 7a9e978..f6c178e 100644 --- a/qt5-qtsvg.spec +++ b/qt5-qtsvg.spec @@ -4,20 +4,19 @@ Summary: Qt5 - Support for rendering and displaying SVG Name: qt5-%{qt_module} -Version: 5.15.2 -Release: 4%{?dist} +Version: 5.15.3 +Release: 1%{?dist} # See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details License: LGPLv2 with exceptions or GPLv3 with exceptions Url: http://www.qt.io %global majmin %(echo %{version} | cut -d. -f1-2) -Source0: https://download.qt.io/official_releases/qt/%{majmin}/%{version}/submodules/%{qt_module}-everywhere-src-%{version}.tar.xz +Source0: https://download.qt.io/official_releases/qt/%{majmin}/%{version}/submodules/%{qt_module}-everywhere-opensource-src-%{version}.tar.xz -# Security fixes -Patch100: qtsvg-CVE-2021-3481-clamp-parsed-doubles-to-float-representable-values.patch +# upstream fix +Patch0: qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch +Patch1: qtsvg-5.15.2-do-strict-error-checking-when-parsing-path-nodes.patch -# CVE-2021-45930 qt5-qtsvg: qt: out-of-bounds write may lead to DoS -Patch101: qtsvg-do-stricter-error-checking-when-parsing-path-nodes.patch BuildRequires: qt5-qtbase-devel >= %{version} BuildRequires: pkgconfig(zlib) @@ -125,6 +124,10 @@ popd %changelog +* Mon Mar 28 2022 Jan Grulich - 5.15.3-1 +- 5.15.3 + Resolves: bz#2061405 + * Wed Jan 12 2022 Jan Grulich - 5.15.2-4 - Fix out-of-bound write that may lead to DoS Resolves: bz#2038487 diff --git a/qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch b/qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch new file mode 100644 index 0000000..bb9610c --- /dev/null +++ b/qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch @@ -0,0 +1,23 @@ +diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp +index b3d9aaf..9dac05c 100644 +--- a/src/svg/qsvghandler.cpp ++++ b/src/svg/qsvghandler.cpp +@@ -673,7 +673,8 @@ static qreal toDouble(const QChar *&str) + val = -val; + } else { + val = QByteArray::fromRawData(temp, pos).toDouble(); +- if (qFpClassify(val) != FP_NORMAL) ++ // Do not tolerate values too wild to be represented normally by floats ++ if (qFpClassify(float(val)) != FP_NORMAL) + val = 0; + } + return val; +@@ -3046,6 +3047,8 @@ static QSvgStyleProperty *createRadialGradientNode(QSvgNode *node, + ncy = toDouble(cy); + if (!r.isEmpty()) + nr = toDouble(r); ++ if (nr < 0.5) ++ nr = 0.5; + + qreal nfx = ncx; + if (!fx.isEmpty()) diff --git a/qtsvg-do-stricter-error-checking-when-parsing-path-nodes.patch b/qtsvg-5.15.2-do-strict-error-checking-when-parsing-path-nodes.patch similarity index 73% rename from qtsvg-do-stricter-error-checking-when-parsing-path-nodes.patch rename to qtsvg-5.15.2-do-strict-error-checking-when-parsing-path-nodes.patch index 274cf43..d47d0e3 100644 --- a/qtsvg-do-stricter-error-checking-when-parsing-path-nodes.patch +++ b/qtsvg-5.15.2-do-strict-error-checking-when-parsing-path-nodes.patch @@ -1,31 +1,8 @@ -From 5b9285c34731e67f9f1d61ec804740991f2a0380 Mon Sep 17 00:00:00 2001 -From: Eirik Aavitsland -Date: Mon, 25 Oct 2021 14:17:55 +0200 -Subject: [PATCH] Do stricter error checking when parsing path nodes -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The SVG spec mandates that path parsing should terminate on the first -error encountered, and an error be reported. To improve the handling -of corrupt files, implement such error handling, and also limit the -number of QPainterPath elements to a reasonable range. - -Fixes: QTBUG-96044 -Pick-to: 6.2 5.15 5.12 -Change-Id: Ic5e65d6b658516d6f1317c72de365c8c7ad81891 -Reviewed-by: Allan Sandfeld Jensen -Reviewed-by: Robert Löhning -(cherry picked from commit 36cfd9efb9b22b891adee9c48d30202289cfa620) ---- - src/svg/qsvghandler.cpp | 59 +++++++++++++++++------------------------ - 1 file changed, 25 insertions(+), 34 deletions(-) - diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp -index b542089..2ea80ed 100644 +index b3d9aaf..402a71f 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp -@@ -1627,6 +1627,7 @@ static void pathArc(QPainterPath &path, +@@ -1614,6 +1614,7 @@ static void pathArc(QPainterPath &path, static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) { @@ -33,7 +10,7 @@ index b542089..2ea80ed 100644 qreal x0 = 0, y0 = 0; // starting point qreal x = 0, y = 0; // current point char lastMode = 0; -@@ -1634,7 +1635,8 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1621,7 +1622,8 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) const QChar *str = dataStr.constData(); const QChar *end = str + dataStr.size(); @@ -43,7 +20,7 @@ index b542089..2ea80ed 100644 while (str->isSpace() && (str + 1) != end) ++str; QChar pathElem = *str; -@@ -1651,14 +1653,13 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1635,14 +1637,13 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) arg.append(0);//dummy const qreal *num = arg.constData(); int count = arg.count(); @@ -60,7 +37,7 @@ index b542089..2ea80ed 100644 break; } x = x0 = num[0] + offsetX; -@@ -1675,8 +1676,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1659,8 +1660,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) break; case 'M': { if (count < 2) { @@ -70,7 +47,7 @@ index b542089..2ea80ed 100644 break; } x = x0 = num[0]; -@@ -1702,8 +1702,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1686,8 +1686,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) break; case 'l': { if (count < 2) { @@ -80,7 +57,7 @@ index b542089..2ea80ed 100644 break; } x = num[0] + offsetX; -@@ -1716,8 +1715,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1700,8 +1699,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) break; case 'L': { if (count < 2) { @@ -90,7 +67,7 @@ index b542089..2ea80ed 100644 break; } x = num[0]; -@@ -1757,8 +1755,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1741,8 +1739,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) break; case 'c': { if (count < 6) { @@ -100,7 +77,7 @@ index b542089..2ea80ed 100644 break; } QPointF c1(num[0] + offsetX, num[1] + offsetY); -@@ -1774,8 +1771,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1758,8 +1755,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) } case 'C': { if (count < 6) { @@ -110,7 +87,7 @@ index b542089..2ea80ed 100644 break; } QPointF c1(num[0], num[1]); -@@ -1791,8 +1787,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1775,8 +1771,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) } case 's': { if (count < 4) { @@ -120,7 +97,7 @@ index b542089..2ea80ed 100644 break; } QPointF c1; -@@ -1813,8 +1808,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1797,8 +1792,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) } case 'S': { if (count < 4) { @@ -130,7 +107,7 @@ index b542089..2ea80ed 100644 break; } QPointF c1; -@@ -1835,8 +1829,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1819,8 +1813,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) } case 'q': { if (count < 4) { @@ -140,7 +117,7 @@ index b542089..2ea80ed 100644 break; } QPointF c(num[0] + offsetX, num[1] + offsetY); -@@ -1851,8 +1844,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1835,8 +1828,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) } case 'Q': { if (count < 4) { @@ -150,7 +127,7 @@ index b542089..2ea80ed 100644 break; } QPointF c(num[0], num[1]); -@@ -1867,8 +1859,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1851,8 +1843,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) } case 't': { if (count < 2) { @@ -160,7 +137,7 @@ index b542089..2ea80ed 100644 break; } QPointF e(num[0] + offsetX, num[1] + offsetY); -@@ -1888,8 +1879,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1872,8 +1863,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) } case 'T': { if (count < 2) { @@ -170,7 +147,7 @@ index b542089..2ea80ed 100644 break; } QPointF e(num[0], num[1]); -@@ -1909,8 +1899,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1893,8 +1883,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) } case 'a': { if (count < 7) { @@ -180,7 +157,7 @@ index b542089..2ea80ed 100644 break; } qreal rx = (*num++); -@@ -1932,8 +1921,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1916,8 +1905,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) break; case 'A': { if (count < 7) { @@ -190,7 +167,7 @@ index b542089..2ea80ed 100644 break; } qreal rx = (*num++); -@@ -1954,12 +1942,15 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1938,12 +1926,15 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) } break; default: @@ -208,7 +185,7 @@ index b542089..2ea80ed 100644 } static bool parseStyle(QSvgNode *node, -@@ -2997,8 +2988,8 @@ static QSvgNode *createPathNode(QSvgNode *parent, +@@ -2979,8 +2970,8 @@ static QSvgNode *createPathNode(QSvgNode *parent, QPainterPath qpath; qpath.setFillRule(Qt::WindingFill); @@ -219,6 +196,3 @@ index b542089..2ea80ed 100644 QSvgNode *path = new QSvgPath(parent, qpath); return path; --- -GitLab - diff --git a/qtsvg-CVE-2021-3481-clamp-parsed-doubles-to-float-representable-values.patch b/qtsvg-CVE-2021-3481-clamp-parsed-doubles-to-float-representable-values.patch deleted file mode 100644 index f865de8..0000000 --- a/qtsvg-CVE-2021-3481-clamp-parsed-doubles-to-float-representable-values.patch +++ /dev/null @@ -1,39 +0,0 @@ -From bfd6ee0d8cf34b63d32adf10ed93daa0086b359f Mon Sep 17 00:00:00 2001 -From: Allan Sandfeld Jensen -Date: Thu, 04 Mar 2021 14:28:48 +0100 -Subject: [PATCH] Clamp parsed doubles to float representable values - -Parts of our rendering assumes incoming doubles can still be sane -floats. - -Pick-to: 6.1 6.0 5.15 5.12 -Fixes: QTBUG-91507 -Change-Id: I7086a121e1b5ed47695a1251ea90e774dd8f148d -Reviewed-by: Robert Löhning -Reviewed-by: Allan Sandfeld Jensen -Reviewed-by: Mårten Nordheim ---- - -diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp -index c937254..c88b6cc 100644 ---- a/src/svg/qsvghandler.cpp -+++ b/src/svg/qsvghandler.cpp -@@ -672,6 +672,9 @@ static qreal toDouble(const QChar *&str) - val = -val; - } else { - val = QByteArray::fromRawData(temp, pos).toDouble(); -+ // Do not tolerate values too wild to be represented normally by floats -+ if (std::fpclassify(float(val)) != FP_NORMAL) -+ val = 0; - } - return val; - -@@ -3043,6 +3046,8 @@ static QSvgStyleProperty *createRadialGradientNode(QSvgNode *node, - ncy = toDouble(cy); - if (!r.isEmpty()) - nr = toDouble(r); -+ if (nr < 0.5) -+ nr = 0.5; - - qreal nfx = ncx; - if (!fx.isEmpty()) diff --git a/sources b/sources index c985c88..c7d8934 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (qtsvg-everywhere-src-5.15.2.tar.xz) = 101e9c8fc05b1bb9c4e869564bff8e5723dd35f0ef557185e56e9dc12fdce74c531522c9642cdff639900eccf7ed0e04bfa48142741259697dded990fb481730 +SHA512 (qtsvg-everywhere-opensource-src-5.15.3.tar.xz) = 288ce98bb6dd746564c7ffbd0d8221d0816c62b7e33424cd21d945b40308292ec9a0b1e2b9cca6ce91d606c06813f05068cad590d827810383175bebfa8ab527