import qt5-qtsvg-5.15.3-1.el8

This commit is contained in:
CentOS Sources 2022-09-27 05:48:20 -04:00 committed by Stepan Oksanichenko
parent 523a22ad3c
commit 44b91371ab
6 changed files with 54 additions and 93 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/qtsvg-everywhere-src-5.15.2.tar.xz SOURCES/qtsvg-everywhere-opensource-src-5.15.3.tar.xz

View File

@ -1 +1 @@
08531b47924078cbde6dfbf56da83651d58f6a13 SOURCES/qtsvg-everywhere-src-5.15.2.tar.xz 098a144b80997400be2f13ef5b9ddb286e0274c7 SOURCES/qtsvg-everywhere-opensource-src-5.15.3.tar.xz

View File

@ -0,0 +1,23 @@
diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
index b3d9aaf..9dac05c 100644
--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -673,7 +673,8 @@ static qreal toDouble(const QChar *&str)
val = -val;
} else {
val = QByteArray::fromRawData(temp, pos).toDouble();
- if (qFpClassify(val) != FP_NORMAL)
+ // Do not tolerate values too wild to be represented normally by floats
+ if (qFpClassify(float(val)) != FP_NORMAL)
val = 0;
}
return val;
@@ -3046,6 +3047,8 @@ static QSvgStyleProperty *createRadialGradientNode(QSvgNode *node,
ncy = toDouble(cy);
if (!r.isEmpty())
nr = toDouble(r);
+ if (nr < 0.5)
+ nr = 0.5;
qreal nfx = ncx;
if (!fx.isEmpty())

View File

@ -1,31 +1,8 @@
From 5b9285c34731e67f9f1d61ec804740991f2a0380 Mon Sep 17 00:00:00 2001
From: Eirik Aavitsland <eirik.aavitsland@qt.io>
Date: Mon, 25 Oct 2021 14:17:55 +0200
Subject: [PATCH] Do stricter error checking when parsing path nodes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The SVG spec mandates that path parsing should terminate on the first
error encountered, and an error be reported. To improve the handling
of corrupt files, implement such error handling, and also limit the
number of QPainterPath elements to a reasonable range.
Fixes: QTBUG-96044
Pick-to: 6.2 5.15 5.12
Change-Id: Ic5e65d6b658516d6f1317c72de365c8c7ad81891
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Robert Löhning <robert.loehning@qt.io>
(cherry picked from commit 36cfd9efb9b22b891adee9c48d30202289cfa620)
---
src/svg/qsvghandler.cpp | 59 +++++++++++++++++------------------------
1 file changed, 25 insertions(+), 34 deletions(-)
diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
index b542089..2ea80ed 100644 index b3d9aaf..402a71f 100644
--- a/src/svg/qsvghandler.cpp --- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp
@@ -1627,6 +1627,7 @@ static void pathArc(QPainterPath &path, @@ -1614,6 +1614,7 @@ static void pathArc(QPainterPath &path,
static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
{ {
@ -33,7 +10,7 @@ index b542089..2ea80ed 100644
qreal x0 = 0, y0 = 0; // starting point qreal x0 = 0, y0 = 0; // starting point
qreal x = 0, y = 0; // current point qreal x = 0, y = 0; // current point
char lastMode = 0; char lastMode = 0;
@@ -1634,7 +1635,8 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) @@ -1621,7 +1622,8 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
const QChar *str = dataStr.constData(); const QChar *str = dataStr.constData();
const QChar *end = str + dataStr.size(); const QChar *end = str + dataStr.size();
@ -43,7 +20,7 @@ index b542089..2ea80ed 100644
while (str->isSpace() && (str + 1) != end) while (str->isSpace() && (str + 1) != end)
++str; ++str;
QChar pathElem = *str; QChar pathElem = *str;
@@ -1651,14 +1653,13 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) @@ -1635,14 +1637,13 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
arg.append(0);//dummy arg.append(0);//dummy
const qreal *num = arg.constData(); const qreal *num = arg.constData();
int count = arg.count(); int count = arg.count();
@ -60,7 +37,7 @@ index b542089..2ea80ed 100644
break; break;
} }
x = x0 = num[0] + offsetX; x = x0 = num[0] + offsetX;
@@ -1675,8 +1676,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) @@ -1659,8 +1660,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
break; break;
case 'M': { case 'M': {
if (count < 2) { if (count < 2) {
@ -70,7 +47,7 @@ index b542089..2ea80ed 100644
break; break;
} }
x = x0 = num[0]; x = x0 = num[0];
@@ -1702,8 +1702,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) @@ -1686,8 +1686,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
break; break;
case 'l': { case 'l': {
if (count < 2) { if (count < 2) {
@ -80,7 +57,7 @@ index b542089..2ea80ed 100644
break; break;
} }
x = num[0] + offsetX; x = num[0] + offsetX;
@@ -1716,8 +1715,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) @@ -1700,8 +1699,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
break; break;
case 'L': { case 'L': {
if (count < 2) { if (count < 2) {
@ -90,7 +67,7 @@ index b542089..2ea80ed 100644
break; break;
} }
x = num[0]; x = num[0];
@@ -1757,8 +1755,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) @@ -1741,8 +1739,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
break; break;
case 'c': { case 'c': {
if (count < 6) { if (count < 6) {
@ -100,7 +77,7 @@ index b542089..2ea80ed 100644
break; break;
} }
QPointF c1(num[0] + offsetX, num[1] + offsetY); QPointF c1(num[0] + offsetX, num[1] + offsetY);
@@ -1774,8 +1771,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) @@ -1758,8 +1755,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
} }
case 'C': { case 'C': {
if (count < 6) { if (count < 6) {
@ -110,7 +87,7 @@ index b542089..2ea80ed 100644
break; break;
} }
QPointF c1(num[0], num[1]); QPointF c1(num[0], num[1]);
@@ -1791,8 +1787,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) @@ -1775,8 +1771,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
} }
case 's': { case 's': {
if (count < 4) { if (count < 4) {
@ -120,7 +97,7 @@ index b542089..2ea80ed 100644
break; break;
} }
QPointF c1; QPointF c1;
@@ -1813,8 +1808,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) @@ -1797,8 +1792,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
} }
case 'S': { case 'S': {
if (count < 4) { if (count < 4) {
@ -130,7 +107,7 @@ index b542089..2ea80ed 100644
break; break;
} }
QPointF c1; QPointF c1;
@@ -1835,8 +1829,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) @@ -1819,8 +1813,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
} }
case 'q': { case 'q': {
if (count < 4) { if (count < 4) {
@ -140,7 +117,7 @@ index b542089..2ea80ed 100644
break; break;
} }
QPointF c(num[0] + offsetX, num[1] + offsetY); QPointF c(num[0] + offsetX, num[1] + offsetY);
@@ -1851,8 +1844,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) @@ -1835,8 +1828,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
} }
case 'Q': { case 'Q': {
if (count < 4) { if (count < 4) {
@ -150,7 +127,7 @@ index b542089..2ea80ed 100644
break; break;
} }
QPointF c(num[0], num[1]); QPointF c(num[0], num[1]);
@@ -1867,8 +1859,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) @@ -1851,8 +1843,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
} }
case 't': { case 't': {
if (count < 2) { if (count < 2) {
@ -160,7 +137,7 @@ index b542089..2ea80ed 100644
break; break;
} }
QPointF e(num[0] + offsetX, num[1] + offsetY); QPointF e(num[0] + offsetX, num[1] + offsetY);
@@ -1888,8 +1879,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) @@ -1872,8 +1863,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
} }
case 'T': { case 'T': {
if (count < 2) { if (count < 2) {
@ -170,7 +147,7 @@ index b542089..2ea80ed 100644
break; break;
} }
QPointF e(num[0], num[1]); QPointF e(num[0], num[1]);
@@ -1909,8 +1899,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) @@ -1893,8 +1883,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
} }
case 'a': { case 'a': {
if (count < 7) { if (count < 7) {
@ -180,7 +157,7 @@ index b542089..2ea80ed 100644
break; break;
} }
qreal rx = (*num++); qreal rx = (*num++);
@@ -1932,8 +1921,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) @@ -1916,8 +1905,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
break; break;
case 'A': { case 'A': {
if (count < 7) { if (count < 7) {
@ -190,7 +167,7 @@ index b542089..2ea80ed 100644
break; break;
} }
qreal rx = (*num++); qreal rx = (*num++);
@@ -1954,12 +1942,15 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) @@ -1938,12 +1926,15 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
} }
break; break;
default: default:
@ -208,7 +185,7 @@ index b542089..2ea80ed 100644
} }
static bool parseStyle(QSvgNode *node, static bool parseStyle(QSvgNode *node,
@@ -2997,8 +2988,8 @@ static QSvgNode *createPathNode(QSvgNode *parent, @@ -2979,8 +2970,8 @@ static QSvgNode *createPathNode(QSvgNode *parent,
QPainterPath qpath; QPainterPath qpath;
qpath.setFillRule(Qt::WindingFill); qpath.setFillRule(Qt::WindingFill);
@ -219,6 +196,3 @@ index b542089..2ea80ed 100644
QSvgNode *path = new QSvgPath(parent, qpath); QSvgNode *path = new QSvgPath(parent, qpath);
return path; return path;
--
GitLab

View File

@ -1,39 +0,0 @@
From bfd6ee0d8cf34b63d32adf10ed93daa0086b359f Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Thu, 04 Mar 2021 14:28:48 +0100
Subject: [PATCH] Clamp parsed doubles to float representable values
Parts of our rendering assumes incoming doubles can still be sane
floats.
Pick-to: 6.1 6.0 5.15 5.12
Fixes: QTBUG-91507
Change-Id: I7086a121e1b5ed47695a1251ea90e774dd8f148d
Reviewed-by: Robert Löhning <robert.loehning@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
---
diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
index c937254..c88b6cc 100644
--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -672,6 +672,9 @@ static qreal toDouble(const QChar *&str)
val = -val;
} else {
val = QByteArray::fromRawData(temp, pos).toDouble();
+ // Do not tolerate values too wild to be represented normally by floats
+ if (std::fpclassify(float(val)) != FP_NORMAL)
+ val = 0;
}
return val;
@@ -3043,6 +3046,8 @@ static QSvgStyleProperty *createRadialGradientNode(QSvgNode *node,
ncy = toDouble(cy);
if (!r.isEmpty())
nr = toDouble(r);
+ if (nr < 0.5)
+ nr = 0.5;
qreal nfx = ncx;
if (!fx.isEmpty())

View File

@ -4,20 +4,19 @@
Summary: Qt5 - Support for rendering and displaying SVG Summary: Qt5 - Support for rendering and displaying SVG
Name: qt5-%{qt_module} Name: qt5-%{qt_module}
Version: 5.15.2 Version: 5.15.3
Release: 4%{?dist} Release: 1%{?dist}
# See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details # See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
License: LGPLv2 with exceptions or GPLv3 with exceptions License: LGPLv2 with exceptions or GPLv3 with exceptions
Url: http://www.qt.io Url: http://www.qt.io
%global majmin %(echo %{version} | cut -d. -f1-2) %global majmin %(echo %{version} | cut -d. -f1-2)
Source0: https://download.qt.io/official_releases/qt/%{majmin}/%{version}/submodules/%{qt_module}-everywhere-src-%{version}.tar.xz Source0: https://download.qt.io/official_releases/qt/%{majmin}/%{version}/submodules/%{qt_module}-everywhere-opensource-src-%{version}.tar.xz
# Security fixes # upstream fix
Patch100: qtsvg-CVE-2021-3481-clamp-parsed-doubles-to-float-representable-values.patch Patch0: qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch
Patch1: qtsvg-5.15.2-do-strict-error-checking-when-parsing-path-nodes.patch
# CVE-2021-45930 qt5-qtsvg: qt: out-of-bounds write may lead to DoS
Patch101: qtsvg-do-stricter-error-checking-when-parsing-path-nodes.patch
BuildRequires: qt5-qtbase-devel >= %{version} BuildRequires: qt5-qtbase-devel >= %{version}
BuildRequires: pkgconfig(zlib) BuildRequires: pkgconfig(zlib)
@ -125,6 +124,10 @@ popd
%changelog %changelog
* Mon Mar 28 2022 Jan Grulich <jgrulich@redhat.com> - 5.15.3-1
- 5.15.3
Resolves: bz#2061405
* Wed Jan 12 2022 Jan Grulich <jgrulich@redhat.com> - 5.15.2-4 * Wed Jan 12 2022 Jan Grulich <jgrulich@redhat.com> - 5.15.2-4
- Fix out-of-bound write that may lead to DoS - Fix out-of-bound write that may lead to DoS
Resolves: bz#2038487 Resolves: bz#2038487