rpms/qt6-qtdeclarative
7
0
Fork 0
Code Issues Pull Requests Releases Activity
c10s
qt6-qtdeclarative/qtdeclarative-vectorimage-sanitize-source-string-used-in-output.patch
Jan Grulich faf561abce VectorImage: sanitize source string used in output (CVE-2025-14576) 
Resolves: RHEL-173495
2026-05-19 09:51:47 +02:00

56 lines
2.0 KiB
Diff
Raw Permalink Blame History

From 1f35339b03fcb8787028e1301012a559328815fb Mon Sep 17 00:00:00 2001
From: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io>
Date: Tue, 09 Dec 2025 07:39:32 +0100
Subject: [PATCH] VectorImage: Sanitize source string used in output
The source string is used as an object name in the output, so it gets
sanitized to prevent illegal characters. While SVG already mandates a
limited character set, rather than relying on the parser, sanitization
happens before passing to the generator -- consistent with how the
Lottie visitor handles it.
Fixes: QTBUG-142556
Pick-to: 6.8
Change-Id: I0684e726ab69a0735dcb5f91369b090d58a90b7b
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
---
.../generator/qsvgvisitorimpl.cpp | 20 ++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/src/quickvectorimage/generator/qsvgvisitorimpl.cpp b/src/quickvectorimage/generator/qsvgvisitorimpl.cpp
index 87ce1e80..b7c0dbfe 100644
--- a/src/quickvectorimage/generator/qsvgvisitorimpl.cpp
+++ b/src/quickvectorimage/generator/qsvgvisitorimpl.cpp
@@ -1101,9 +1101,27 @@ void QSvgVisitorImpl::visitDocumentNodeEnd(const QSvgTinyDocument *node)
m_generator->generateRootNode(info);
}
+static QString scrub(const QString &raw)
+{
+ QString res(raw.left(80));
+
+ if (!res.isEmpty()) {
+ constexpr QLatin1StringView legalSymbols("_-.:");
+ qsizetype i = 0;
+ do {
+ if (res.at(i).isLetterOrNumber() || legalSymbols.contains(res.at(i)))
+ i++;
+ else
+ res.remove(i, 1);
+ } while (i < res.size());
+ }
+
+ return res;
+}
+
void QSvgVisitorImpl::fillCommonNodeInfo(const QSvgNode *node, NodeInfo &info)
{
- info.nodeId = node->nodeId();
+ info.nodeId = scrub(node->nodeId());
info.typeName = node->typeName();
info.isDefaultTransform = node->style().transform.isDefault();
info.transform.setDefaultValue(QVariant::fromValue(!info.isDefaultTransform
--
2.53.0
Reference in New Issue View Git Blame Copy Permalink