From 793961fce3ef836fe7dd00feefdd64ead36fb64b Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 21 Sep 2023 20:14:46 +0000 Subject: [PATCH] import CS qt5-qtsvg-5.15.9-2.el9 --- .gitignore | 2 +- .qt5-qtsvg.metadata | 2 +- ...ubles-to-float-representtable-values.patch | 23 -- ...ror-checking-when-parsing-path-nodes.patch | 198 ------------------ SOURCES/qtsvg-CVE-2023-32573.patch | 34 +++ SPECS/qt5-qtsvg.spec | 16 +- 6 files changed, 47 insertions(+), 228 deletions(-) delete mode 100644 SOURCES/qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch delete mode 100644 SOURCES/qtsvg-5.15.2-do-strict-error-checking-when-parsing-path-nodes.patch create mode 100644 SOURCES/qtsvg-CVE-2023-32573.patch diff --git a/.gitignore b/.gitignore index 60568f2..9436774 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/qtsvg-everywhere-opensource-src-5.15.3.tar.xz +SOURCES/qtsvg-everywhere-opensource-src-5.15.9.tar.xz diff --git a/.qt5-qtsvg.metadata b/.qt5-qtsvg.metadata index 69f7c04..1dd0734 100644 --- a/.qt5-qtsvg.metadata +++ b/.qt5-qtsvg.metadata @@ -1 +1 @@ -098a144b80997400be2f13ef5b9ddb286e0274c7 SOURCES/qtsvg-everywhere-opensource-src-5.15.3.tar.xz +0e2402a26d18744ef2479bda008ad620a6f45f37 SOURCES/qtsvg-everywhere-opensource-src-5.15.9.tar.xz diff --git a/SOURCES/qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch b/SOURCES/qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch deleted file mode 100644 index bb9610c..0000000 --- a/SOURCES/qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp -index b3d9aaf..9dac05c 100644 ---- a/src/svg/qsvghandler.cpp -+++ b/src/svg/qsvghandler.cpp -@@ -673,7 +673,8 @@ static qreal toDouble(const QChar *&str) - val = -val; - } else { - val = QByteArray::fromRawData(temp, pos).toDouble(); -- if (qFpClassify(val) != FP_NORMAL) -+ // Do not tolerate values too wild to be represented normally by floats -+ if (qFpClassify(float(val)) != FP_NORMAL) - val = 0; - } - return val; -@@ -3046,6 +3047,8 @@ static QSvgStyleProperty *createRadialGradientNode(QSvgNode *node, - ncy = toDouble(cy); - if (!r.isEmpty()) - nr = toDouble(r); -+ if (nr < 0.5) -+ nr = 0.5; - - qreal nfx = ncx; - if (!fx.isEmpty()) diff --git a/SOURCES/qtsvg-5.15.2-do-strict-error-checking-when-parsing-path-nodes.patch b/SOURCES/qtsvg-5.15.2-do-strict-error-checking-when-parsing-path-nodes.patch deleted file mode 100644 index d47d0e3..0000000 --- a/SOURCES/qtsvg-5.15.2-do-strict-error-checking-when-parsing-path-nodes.patch +++ /dev/null @@ -1,198 +0,0 @@ -diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp -index b3d9aaf..402a71f 100644 ---- a/src/svg/qsvghandler.cpp -+++ b/src/svg/qsvghandler.cpp -@@ -1614,6 +1614,7 @@ static void pathArc(QPainterPath &path, - - static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - { -+ const int maxElementCount = 0x7fff; // Assume file corruption if more path elements than this - qreal x0 = 0, y0 = 0; // starting point - qreal x = 0, y = 0; // current point - char lastMode = 0; -@@ -1621,7 +1622,8 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - const QChar *str = dataStr.constData(); - const QChar *end = str + dataStr.size(); - -- while (str != end) { -+ bool ok = true; -+ while (ok && str != end) { - while (str->isSpace() && (str + 1) != end) - ++str; - QChar pathElem = *str; -@@ -1635,14 +1637,13 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - arg.append(0);//dummy - const qreal *num = arg.constData(); - int count = arg.count(); -- while (count > 0) { -+ while (ok && count > 0) { - qreal offsetX = x; // correction offsets - qreal offsetY = y; // for relative commands - switch (pathElem.unicode()) { - case 'm': { - if (count < 2) { -- num++; -- count--; -+ ok = false; - break; - } - x = x0 = num[0] + offsetX; -@@ -1659,8 +1660,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - break; - case 'M': { - if (count < 2) { -- num++; -- count--; -+ ok = false; - break; - } - x = x0 = num[0]; -@@ -1686,8 +1686,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - break; - case 'l': { - if (count < 2) { -- num++; -- count--; -+ ok = false; - break; - } - x = num[0] + offsetX; -@@ -1700,8 +1699,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - break; - case 'L': { - if (count < 2) { -- num++; -- count--; -+ ok = false; - break; - } - x = num[0]; -@@ -1741,8 +1739,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - break; - case 'c': { - if (count < 6) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c1(num[0] + offsetX, num[1] + offsetY); -@@ -1758,8 +1755,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 'C': { - if (count < 6) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c1(num[0], num[1]); -@@ -1775,8 +1771,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 's': { - if (count < 4) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c1; -@@ -1797,8 +1792,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 'S': { - if (count < 4) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c1; -@@ -1819,8 +1813,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 'q': { - if (count < 4) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c(num[0] + offsetX, num[1] + offsetY); -@@ -1835,8 +1828,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 'Q': { - if (count < 4) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c(num[0], num[1]); -@@ -1851,8 +1843,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 't': { - if (count < 2) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF e(num[0] + offsetX, num[1] + offsetY); -@@ -1872,8 +1863,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 'T': { - if (count < 2) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF e(num[0], num[1]); -@@ -1893,8 +1883,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 'a': { - if (count < 7) { -- num += count; -- count = 0; -+ ok = false; - break; - } - qreal rx = (*num++); -@@ -1916,8 +1905,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - break; - case 'A': { - if (count < 7) { -- num += count; -- count = 0; -+ ok = false; - break; - } - qreal rx = (*num++); -@@ -1938,12 +1926,15 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - break; - default: -- return false; -+ ok = false; -+ break; - } - lastMode = pathElem.toLatin1(); -+ if (path.elementCount() > maxElementCount) -+ ok = false; - } - } -- return true; -+ return ok; - } - - static bool parseStyle(QSvgNode *node, -@@ -2979,8 +2970,8 @@ static QSvgNode *createPathNode(QSvgNode *parent, - - QPainterPath qpath; - qpath.setFillRule(Qt::WindingFill); -- //XXX do error handling -- parsePathDataFast(data, qpath); -+ if (!parsePathDataFast(data, qpath)) -+ qCWarning(lcSvgHandler, "Invalid path data; path truncated."); - - QSvgNode *path = new QSvgPath(parent, qpath); - return path; diff --git a/SOURCES/qtsvg-CVE-2023-32573.patch b/SOURCES/qtsvg-CVE-2023-32573.patch new file mode 100644 index 0000000..0554756 --- /dev/null +++ b/SOURCES/qtsvg-CVE-2023-32573.patch @@ -0,0 +1,34 @@ +--- a/src/svg/qsvgfont_p.h ++++ b/src/svg/qsvgfont_p.h +@@ -74,6 +74,7 @@ public: + class Q_SVG_PRIVATE_EXPORT QSvgFont : public QSvgRefCounted + { + public: ++ static constexpr qreal DEFAULT_UNITS_PER_EM = 1000; + QSvgFont(qreal horizAdvX); + + void setFamilyName(const QString &name); +@@ -86,9 +87,7 @@ public: + void draw(QPainter *p, const QPointF &point, const QString &str, qreal pixelSize, Qt::Alignment alignment) const; + public: + QString m_familyName; +- qreal m_unitsPerEm; +- qreal m_ascent; +- qreal m_descent; ++ qreal m_unitsPerEm = DEFAULT_UNITS_PER_EM; + qreal m_horizAdvX; + QHash m_glyphs; + }; + + +--- a/src/svg/qsvghandler.cpp ++++ b/src/svg/qsvghandler.cpp +@@ -2668,7 +2668,7 @@ static bool parseFontFaceNode(QSvgStyleProperty *parent, + + qreal unitsPerEm = toDouble(unitsPerEmStr); + if (!unitsPerEm) +- unitsPerEm = 1000; ++ unitsPerEm = QSvgFont::DEFAULT_UNITS_PER_EM; + + if (!name.isEmpty()) + font->setFamilyName(name); diff --git a/SPECS/qt5-qtsvg.spec b/SPECS/qt5-qtsvg.spec index 52e502b..20da649 100644 --- a/SPECS/qt5-qtsvg.spec +++ b/SPECS/qt5-qtsvg.spec @@ -4,8 +4,8 @@ Summary: Qt5 - Support for rendering and displaying SVG Name: qt5-%{qt_module} -Version: 5.15.3 -Release: 1%{?dist} +Version: 5.15.9 +Release: 2%{?dist} # See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details License: LGPLv2 with exceptions or GPLv3 with exceptions @@ -13,9 +13,7 @@ Url: http://www.qt.io %global majmin %(echo %{version} | cut -d. -f1-2) Source0: https://download.qt.io/official_releases/qt/%{majmin}/%{version}/submodules/%{qt_module}-everywhere-opensource-src-%{version}.tar.xz -# upstream fix -Patch0: qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch -Patch1: qtsvg-5.15.2-do-strict-error-checking-when-parsing-path-nodes.patch +Patch0: qtsvg-CVE-2023-32573.patch BuildRequires: make BuildRequires: qt5-qtbase-devel >= %{version} @@ -111,6 +109,14 @@ popd %endif %changelog +* Thu May 18 2023 Jan Grulich - 5.15.9-2 +- Fix uninitialized variable usage in m_unitsPerEm (CVE-2023-32573) + Resolves: bz#2208140 + +* Tue Apr 18 2023 Jan Grulich - 5.15.9-1 +- 5.15.9 + Resolves: bz#2175742 + * Mon Mar 28 2022 Jan Grulich - 5.15.3-1 - 5.15.3 Resolves: bz#2061369