diff options
Diffstat (limited to 'dev-qt/qtgui')
| -rw-r--r-- | dev-qt/qtgui/Manifest | 1 | ||||
| -rw-r--r-- | dev-qt/qtgui/files/qtgui-5.15.12-CVE-2024-25580.patch | 228 |
2 files changed, 0 insertions, 229 deletions
diff --git a/dev-qt/qtgui/Manifest b/dev-qt/qtgui/Manifest index 24298edf0598..0c301343b8c3 100644 --- a/dev-qt/qtgui/Manifest +++ b/dev-qt/qtgui/Manifest @@ -1,4 +1,3 @@ -AUX qtgui-5.15.12-CVE-2024-25580.patch 9098 BLAKE2B 67207358484eecfc765b340f3d7f8861e0d7772f989ebd7fbe0671a731cb1ffeb5cccfd3598990855701a98a24d1c13ab3e9686f5c77768118a7083074ac8b13 SHA512 b0913b8675549dbf002aeedbe110ed72a32943dbbf8c54b6ec8cee0c173afe5ae17c0a6fda5672ce1fc3f2b5e0e4854a343a1c1ce675d5ffef465c94262e58ce DIST qtbase-5.15-gentoo-patchset-5.tar.xz 9116 BLAKE2B b6318fc7c3ccdbfe85d56797ffaa3b275ce3f324731caca5efb497494837ca00c020494e9f811c0d5e9a460a4d70f16291c637409e7ad72325a36bc55e113c8c SHA512 f0343bf475a86f3f73b98b166ee48b1c5c9200aac9212ad977befe05679d0c351167618b16ae958e6403f33eecdc465b26a0df5d0b83d5d57a8c85ddb8a41c9b DIST qtbase-5.15.13-gentoo-kde-1.tar.xz 331952 BLAKE2B 6fb7314f03e99d8d2f5e8486ea805164f7e42a14c29a46519bae200364ad3798d26fd09bbd9381030b816f0a68c45d98581a76b80ca3fff8ae4c0121c77fc6ae SHA512 2c049f451eaa4a5087bb39283a66e7bbef89b9e3235ae930c48a405aeaaa999e863857c5074de6ad282708c756b8acab40fbb68f2a4a8b45ef7ade72b12bb98d DIST qtbase-everywhere-opensource-src-5.15.13.tar.xz 50862768 BLAKE2B d96d4d6b11aae3c471d5f24ed1030004394dfb89d399d5cddc868f39d0a4851a75ed0d59fdc79ef354c21a354eae0f23df1cfb8c30290d5c080b5fad507ce29a SHA512 565632646b04eed525530a50f1228dd1aa3b8f1318485fa7cf6ad96eabdc2208ed1522b3fc174bd4797b7d51edff18ea1f91a82dd701379407b880f1dd0d16ef diff --git a/dev-qt/qtgui/files/qtgui-5.15.12-CVE-2024-25580.patch b/dev-qt/qtgui/files/qtgui-5.15.12-CVE-2024-25580.patch deleted file mode 100644 index 41a500c82578..000000000000 --- a/dev-qt/qtgui/files/qtgui-5.15.12-CVE-2024-25580.patch +++ /dev/null @@ -1,228 +0,0 @@ -From c8061284095abebebbcd6fea7167477aef44a00c Mon Sep 17 00:00:00 2001 -From: Jonas Karlsson <jonas.karlsson@qt.io> -Date: Thu, 8 Feb 2024 17:01:05 +0100 -Subject: [PATCH] Improve KTX file reading memory safety - -* Use qAddOverflow/qSubOverflow methods for catching additions and - subtractions with overflow and handle these scenarios when reading the - file. -* Add 'safeView' method that checks that the byte array view constructed - is not out of bounds. -* Return error if number of levels is higher than what is reasonable. -* Return error if number of faces is incorrect. -* Add unit test with invalid KTX file previously causing a segmentation - fault. - -This fixes CVE-2024-25580. - -Fixes: QTBUG-121918 -Pick-to: 6.7 6.6 6.5 6.2 5.15 -Change-Id: Ie0824c32a5921de30cf07c1fc1b49a084e6d07b2 -Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io> -Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org> -(cherry picked from commit 28ecb523ce8490bff38b251b3df703c72e057519) ---- - src/gui/util/qktxhandler.cpp | 138 +++++++++++++++++++++++++++-------- - src/gui/util/qktxhandler_p.h | 2 +- - 2 files changed, 110 insertions(+), 30 deletions(-) - -diff --git a/src/gui/util/qktxhandler.cpp b/src/gui/util/qktxhandler.cpp -index 7eda4c46fb..2853e46c3d 100644 ---- a/src/gui/util/qktxhandler.cpp -+++ b/src/gui/util/qktxhandler.cpp -@@ -73,7 +73,7 @@ struct KTXHeader { - quint32 bytesOfKeyValueData; - }; - --static const quint32 headerSize = sizeof(KTXHeader); -+static constexpr quint32 qktxh_headerSize = sizeof(KTXHeader); - - // Currently unused, declared for future reference - struct KTXKeyValuePairItem { -@@ -103,11 +103,36 @@ struct KTXMipmapLevel { - */ - }; - --bool QKtxHandler::canRead(const QByteArray &suffix, const QByteArray &block) -+static bool qAddOverflow(quint32 v1, quint32 v2, quint32 *r) { -+ // unsigned additions are well-defined -+ *r = v1 + v2; -+ return v1 > quint32(v1 + v2); -+} -+ -+// Returns the nearest multiple of 4 greater than or equal to 'value' -+static bool nearestMultipleOf4(quint32 value, quint32 *result) -+{ -+ constexpr quint32 rounding = 4; -+ *result = 0; -+ if (qAddOverflow(value, rounding - 1, result)) -+ return true; -+ *result &= ~(rounding - 1); -+ return false; -+} -+ -+// Returns a slice with prechecked bounds -+static QByteArray safeSlice(const QByteArray& array, quint32 start, quint32 length) - { -- Q_UNUSED(suffix) -+ quint32 end = 0; -+ if (qAddOverflow(start, length, &end) || end > quint32(array.length())) -+ return {}; -+ return QByteArray(array.data() + start, length); -+} - -- return (qstrncmp(block.constData(), ktxIdentifier, KTX_IDENTIFIER_LENGTH) == 0); -+bool QKtxHandler::canRead(const QByteArray &suffix, const QByteArray &block) -+{ -+ Q_UNUSED(suffix); -+ return block.startsWith(QByteArray::fromRawData(ktxIdentifier, KTX_IDENTIFIER_LENGTH)); - } - - QTextureFileData QKtxHandler::read() -@@ -115,42 +140,97 @@ QTextureFileData QKtxHandler::read() - if (!device()) - return QTextureFileData(); - -- QByteArray buf = device()->readAll(); -- const quint32 dataSize = quint32(buf.size()); -- if (dataSize < headerSize || !canRead(QByteArray(), buf)) { -- qCDebug(lcQtGuiTextureIO, "Invalid KTX file %s", logName().constData()); -+ const QByteArray buf = device()->readAll(); -+ if (size_t(buf.size()) > std::numeric_limits<quint32>::max()) { -+ qWarning(lcQtGuiTextureIO, "Too big KTX file %s", logName().constData()); -+ return QTextureFileData(); -+ } -+ -+ if (!canRead(QByteArray(), buf)) { -+ qWarning(lcQtGuiTextureIO, "Invalid KTX file %s", logName().constData()); -+ return QTextureFileData(); -+ } -+ -+ if (buf.size() < qsizetype(qktxh_headerSize)) { -+ qWarning(lcQtGuiTextureIO, "Invalid KTX header size in %s", logName().constData()); - return QTextureFileData(); - } - -- const KTXHeader *header = reinterpret_cast<const KTXHeader *>(buf.constData()); -- if (!checkHeader(*header)) { -- qCDebug(lcQtGuiTextureIO, "Unsupported KTX file format in %s", logName().constData()); -+ KTXHeader header; -+ memcpy(&header, buf.data(), qktxh_headerSize); -+ if (!checkHeader(header)) { -+ qWarning(lcQtGuiTextureIO, "Unsupported KTX file format in %s", logName().constData()); - return QTextureFileData(); - } - - QTextureFileData texData; - texData.setData(buf); - -- texData.setSize(QSize(decode(header->pixelWidth), decode(header->pixelHeight))); -- texData.setGLFormat(decode(header->glFormat)); -- texData.setGLInternalFormat(decode(header->glInternalFormat)); -- texData.setGLBaseInternalFormat(decode(header->glBaseInternalFormat)); -- -- texData.setNumLevels(decode(header->numberOfMipmapLevels)); -- quint32 offset = headerSize + decode(header->bytesOfKeyValueData); -- const int maxLevels = qMin(texData.numLevels(), 32); // Cap iterations in case of corrupt file. -- for (int i = 0; i < maxLevels; i++) { -- if (offset + sizeof(KTXMipmapLevel) > dataSize) // Corrupt file; avoid oob read -- break; -- const KTXMipmapLevel *level = reinterpret_cast<const KTXMipmapLevel *>(buf.constData() + offset); -- quint32 levelLen = decode(level->imageSize); -- texData.setDataOffset(offset + sizeof(KTXMipmapLevel::imageSize), i); -- texData.setDataLength(levelLen, i); -- offset += sizeof(KTXMipmapLevel::imageSize) + levelLen + (3 - ((levelLen + 3) % 4)); -+ texData.setSize(QSize(decode(header.pixelWidth), decode(header.pixelHeight))); -+ texData.setGLFormat(decode(header.glFormat)); -+ texData.setGLInternalFormat(decode(header.glInternalFormat)); -+ texData.setGLBaseInternalFormat(decode(header.glBaseInternalFormat)); -+ -+ texData.setNumLevels(decode(header.numberOfMipmapLevels)); -+ -+ const quint32 bytesOfKeyValueData = decode(header.bytesOfKeyValueData); -+ quint32 headerKeyValueSize; -+ if (qAddOverflow(qktxh_headerSize, bytesOfKeyValueData, &headerKeyValueSize)) { -+ qWarning(lcQtGuiTextureIO, "Overflow in size of key value data in header of KTX file %s", -+ logName().constData()); -+ return QTextureFileData(); -+ } -+ -+ if (headerKeyValueSize >= quint32(buf.size())) { -+ qWarning(lcQtGuiTextureIO, "OOB request in KTX file %s", logName().constData()); -+ return QTextureFileData(); -+ } -+ -+ // Technically, any number of levels is allowed but if the value is bigger than -+ // what is possible in KTX V2 (and what makes sense) we return an error. -+ // maxLevels = log2(max(width, height, depth)) -+ const int maxLevels = (sizeof(quint32) * 8) -+ - qCountLeadingZeroBits(std::max( -+ { header.pixelWidth, header.pixelHeight, header.pixelDepth })); -+ -+ if (texData.numLevels() > maxLevels) { -+ qWarning(lcQtGuiTextureIO, "Too many levels in KTX file %s", logName().constData()); -+ return QTextureFileData(); -+ } -+ -+ quint32 offset = headerKeyValueSize; -+ for (int level = 0; level < texData.numLevels(); level++) { -+ const auto imageSizeSlice = safeSlice(buf, offset, sizeof(quint32)); -+ if (imageSizeSlice.isEmpty()) { -+ qWarning(lcQtGuiTextureIO, "OOB request in KTX file %s", logName().constData()); -+ return QTextureFileData(); -+ } -+ -+ const quint32 imageSize = decode(qFromUnaligned<quint32>(imageSizeSlice.data())); -+ offset += sizeof(quint32); // overflow checked indirectly above -+ -+ texData.setDataOffset(offset, level); -+ texData.setDataLength(imageSize, level); -+ -+ // Add image data and padding to offset -+ quint32 padded = 0; -+ if (nearestMultipleOf4(imageSize, &padded)) { -+ qWarning(lcQtGuiTextureIO, "Overflow in KTX file %s", logName().constData()); -+ return QTextureFileData(); -+ } -+ -+ quint32 offsetNext; -+ if (qAddOverflow(offset, padded, &offsetNext)) { -+ qWarning(lcQtGuiTextureIO, "OOB request in KTX file %s", logName().constData()); -+ return QTextureFileData(); -+ } -+ -+ offset = offsetNext; - } - - if (!texData.isValid()) { -- qCDebug(lcQtGuiTextureIO, "Invalid values in header of KTX file %s", logName().constData()); -+ qWarning(lcQtGuiTextureIO, "Invalid values in header of KTX file %s", -+ logName().constData()); - return QTextureFileData(); - } - -@@ -191,7 +271,7 @@ bool QKtxHandler::checkHeader(const KTXHeader &header) - (decode(header.numberOfFaces) == 1)); - } - --quint32 QKtxHandler::decode(quint32 val) -+quint32 QKtxHandler::decode(quint32 val) const - { - return inverseEndian ? qbswap<quint32>(val) : val; - } -diff --git a/src/gui/util/qktxhandler_p.h b/src/gui/util/qktxhandler_p.h -index 19f7b0e79a..8da990aaac 100644 ---- a/src/gui/util/qktxhandler_p.h -+++ b/src/gui/util/qktxhandler_p.h -@@ -68,7 +68,7 @@ public: - - private: - bool checkHeader(const KTXHeader &header); -- quint32 decode(quint32 val); -+ quint32 decode(quint32 val) const; - - bool inverseEndian = false; - }; --- -2.43.0 - |