Resolves: #1931447, Out of bounds read in function QRadialFetchSimd from crafted svg file

2021-03-09 17:54:28 +01:00 · 2021-03-09 17:54:28 +01:00 · 9b6d768191
commit 9b6d768191
parent dff18d18ce
2 changed files with 37 additions and 1 deletions
--- a/qt5-qtsvg.spec
+++ b/qt5-qtsvg.spec
@ -3,7 +3,7 @@
 Summary: Qt5 - Support for rendering and displaying SVG
 Name:    qt5-%{qt_module}
 Version: 5.15.2
-Release: 3%{?dist}
+Release: 4%{?dist}

 # See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
 License: LGPLv2 with exceptions or GPLv3 with exceptions
@ -11,6 +11,9 @@ Url:     http://www.qt.io
 %global majmin %(echo %{version} | cut -d. -f1-2)
 Source0: https://download.qt.io/official_releases/qt/%{majmin}/%{version}/submodules/%{qt_module}-everywhere-src-%{version}.tar.xz

+# upstream fix
+Patch0: qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch
+
 BuildRequires: make
 BuildRequires: qt5-qtbase-devel >= %{version}
 BuildRequires: pkgconfig(zlib)
@ -86,6 +89,9 @@ popd


 %changelog
+* Tue Mar 09 2021 Than Ngo <than@redhat.com> - 5.15.2-4
+- Resolves: #1931447, Out of bounds read in function QRadialFetchSimd from crafted svg file
+
 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.15.2-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

--- a/qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch
+++ b/qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch
@ -0,0 +1,30 @@
+diff -up qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp.orig qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp
+--- qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp.orig	2020-10-27 09:02:11.000000000 +0100
+++ qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp	2021-03-09 17:48:50.187425243 +0100
+@@ -65,6 +65,7 @@
+ #include "private/qmath_p.h"
+ 
+ #include "float.h"
+#include <cmath>
+ 
+ QT_BEGIN_NAMESPACE
+ 
+@@ -672,6 +673,9 @@ static qreal toDouble(const QChar *&str)
+             val = -val;
+     } else {
+         val = QByteArray::fromRawData(temp, pos).toDouble();
+        // Do not tolerate values too wild to be represented normally by floats
+        if (std::fpclassify(float(val)) != FP_NORMAL)
+            val = 0;
+     }
+     return val;
+ 
+@@ -3043,6 +3047,8 @@ static QSvgStyleProperty *createRadialGr
+         ncy = toDouble(cy);
+     if (!r.isEmpty())
+         nr = toDouble(r);
+    if (nr < 0.5)
+        nr = 0.5;
+ 
+     qreal nfx = ncx;
+     if (!fx.isEmpty())