diff options
Diffstat (limited to 'dev-qt/qtbase/files/qtbase-6.6.1-CVE-2023-51714.patch')
| -rw-r--r-- | dev-qt/qtbase/files/qtbase-6.6.1-CVE-2023-51714.patch | 55 |
1 files changed, 0 insertions, 55 deletions
diff --git a/dev-qt/qtbase/files/qtbase-6.6.1-CVE-2023-51714.patch b/dev-qt/qtbase/files/qtbase-6.6.1-CVE-2023-51714.patch deleted file mode 100644 index 8d2b0e74ad08..000000000000 --- a/dev-qt/qtbase/files/qtbase-6.6.1-CVE-2023-51714.patch +++ /dev/null @@ -1,55 +0,0 @@ -Combination of the two patches [1][2] for CVE-2023-51714[3], -fixed in upcoming qtbase-6.6.2. - -https://bugs.gentoo.org/921292 - -[1] https://codereview.qt-project.org/c/qt/qtbase/+/525295 -[2] https://codereview.qt-project.org/c/qt/qtbase/+/525297 -[3] https://lists.qt-project.org/pipermail/announce/2024-January/000465.html - -From 13c16b756900fe524f6d9534e8a07aa003c05e0c Mon Sep 17 00:00:00 2001 -From: Marc Mutz <marc.mutz@qt.io> -Date: Tue, 12 Dec 2023 20:51:56 +0100 -Subject: [PATCH] HPack: fix a Yoda Condition - -Putting the variable on the LHS of a relational operation makes the -expression easier to read. In this case, we find that the whole -expression is nonsensical as an overflow protection, because if -name.size() + value.size() overflows, the result will exactly _not_ -be > max() - 32, because UB will have happened. - -To be fixed in a follow-up commit. - -As a drive-by, add parentheses around the RHS. - -From 811b9eef6d08d929af8708adbf2a5effb0eb62d7 Mon Sep 17 00:00:00 2001 -From: Marc Mutz <marc.mutz@qt.io> -Date: Tue, 12 Dec 2023 22:08:07 +0100 -Subject: [PATCH] HPack: fix incorrect integer overflow check - -This code never worked: - -For the comparison with max() - 32 to trigger, on 32-bit platforms (or -Qt 5) signed interger overflow would have had to happen in the -addition of the two sizes. The compiler can therefore remove the -overflow check as dead code. - -On Qt 6 and 64-bit platforms, the signed integer addition would be -very unlikely to overflow, but the following truncation to uint32 -would yield the correct result only in a narrow 32-value window just -below UINT_MAX, if even that. - -Fix by using the proper tool, qAddOverflow. ---- a/src/network/access/http2/hpacktable.cpp -+++ b/src/network/access/http2/hpacktable.cpp -@@ -27,6 +27,8 @@ - // 32 octets of overhead." - -- const unsigned sum = unsigned(name.size() + value.size()); -- if (std::numeric_limits<unsigned>::max() - 32 < sum) -+ size_t sum; -+ if (qAddOverflow(size_t(name.size()), size_t(value.size()), &sum)) -+ return HeaderSize(); -+ if (sum > (std::numeric_limits<unsigned>::max() - 32)) - return HeaderSize(); - return HeaderSize(true, quint32(sum + 32)); |