summaryrefslogtreecommitdiff
path: root/dev-qt/qtgui/files/qtgui-5.15.9-CVE-2023-32763.patch
diff options
context:
space:
mode:
Diffstat (limited to 'dev-qt/qtgui/files/qtgui-5.15.9-CVE-2023-32763.patch')
-rw-r--r--dev-qt/qtgui/files/qtgui-5.15.9-CVE-2023-32763.patch71
1 files changed, 71 insertions, 0 deletions
diff --git a/dev-qt/qtgui/files/qtgui-5.15.9-CVE-2023-32763.patch b/dev-qt/qtgui/files/qtgui-5.15.9-CVE-2023-32763.patch
new file mode 100644
index 000000000000..2b34807fbd03
--- /dev/null
+++ b/dev-qt/qtgui/files/qtgui-5.15.9-CVE-2023-32763.patch
@@ -0,0 +1,71 @@
+From e6c8aa2426ef5bd575f85aae530322b145b49006 Mon Sep 17 00:00:00 2001
+From: Allan Sandfeld Jensen <allan.jensen@qt.io>
+Date: Fri, 5 May 2023 09:51:32 +0200
+Subject: [PATCH] Fix specific overflow in qtextlayout (CVE-2023-32763)
+
+Fixes: QTBUG-113337
+Pick-to: 6.5 6.5.1 6.2 5.15
+Change-Id: I13579306defceaccdc0fbb1ec0e9b77c6f8d1af9
+Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
+Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
+(cherry picked from commit 7b7a01c266b507636eab51a36328c7c72d82d93c)
+
+* asturmlechner 2023-05-23: Upstream backport to 5.15 taken from
+ https://www.qt.io/blog/security-advisory-qt-svg-1
+---
+ src/gui/painting/qfixed_p.h | 9 +++++++++
+ src/gui/text/qtextlayout.cpp | 9 ++++++---
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/src/gui/painting/qfixed_p.h b/src/gui/painting/qfixed_p.h
+index 846592881c..57d750a4b3 100644
+--- a/src/gui/painting/qfixed_p.h
++++ b/src/gui/painting/qfixed_p.h
+@@ -54,6 +54,7 @@
+ #include <QtGui/private/qtguiglobal_p.h>
+ #include "QtCore/qdebug.h"
+ #include "QtCore/qpoint.h"
++#include <QtCore/private/qnumeric_p.h>
+ #include "QtCore/qsize.h"
+
+ QT_BEGIN_NAMESPACE
+@@ -182,6 +183,14 @@ Q_DECL_CONSTEXPR inline bool operator<(int i, const QFixed &f) { return i * 64 <
+ Q_DECL_CONSTEXPR inline bool operator>(const QFixed &f, int i) { return f.value() > i * 64; }
+ Q_DECL_CONSTEXPR inline bool operator>(int i, const QFixed &f) { return i * 64 > f.value(); }
+
++inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
++{
++ int val;
++ bool result = add_overflow(v1.value(), v2.value(), &val);
++ r->setValue(val);
++ return result;
++}
++
+ #ifndef QT_NO_DEBUG_STREAM
+ inline QDebug &operator<<(QDebug &dbg, const QFixed &f)
+ { return dbg << f.toReal(); }
+diff --git a/src/gui/text/qtextlayout.cpp b/src/gui/text/qtextlayout.cpp
+index 26ac37b016..f6c69ff4a2 100644
+--- a/src/gui/text/qtextlayout.cpp
++++ b/src/gui/text/qtextlayout.cpp
+@@ -2150,11 +2150,14 @@ found:
+ eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
+ } else {
+ eng->minWidth = qMax(eng->minWidth, lbh.minw);
+- eng->maxWidth += line.textWidth;
++ if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth))
++ eng->maxWidth = QFIXED_MAX;
+ }
+
+- if (line.textWidth > 0 && item < eng->layoutData->items.size())
+- eng->maxWidth += lbh.spaceData.textWidth;
++ if (line.textWidth > 0 && item < eng->layoutData->items.size()) {
++ if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, &eng->maxWidth))
++ eng->maxWidth = QFIXED_MAX;
++ }
+
+ line.textWidth += trailingSpace;
+ if (lbh.spaceData.length) {
+--
+2.40.1
+
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-28 22:53:24 +0000