diff --git a/CVE-2021-45930.patch b/CVE-2021-45930.patch index 73bca31..c1d1534 100644 --- a/CVE-2021-45930.patch +++ b/CVE-2021-45930.patch @@ -1,4 +1,4 @@ -From a3b753c2d077313fc9eb93af547051b956e383fc Mon Sep 17 00:00:00 2001 +From 36cfd9efb9b22b891adee9c48d30202289cfa620 Mon Sep 17 00:00:00 2001 From: Eirik Aavitsland Date: Mon, 25 Oct 2021 14:17:55 +0200 Subject: [PATCH] Do stricter error checking when parsing path nodes @@ -12,20 +12,19 @@ of corrupt files, implement such error handling, and also limit the number of QPainterPath elements to a reasonable range. Fixes: QTBUG-96044 +Pick-to: 6.2 5.15 5.12 Change-Id: Ic5e65d6b658516d6f1317c72de365c8c7ad81891 Reviewed-by: Allan Sandfeld Jensen Reviewed-by: Robert Löhning -(cherry picked from commit 36cfd9efb9b22b891adee9c48d30202289cfa620) -Reviewed-by: Qt Cherry-pick Bot --- src/svg/qsvghandler.cpp | 59 +++++++++++++++++------------------------ 1 file changed, 25 insertions(+), 34 deletions(-) diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp -index 08ee7819..db21d5f4 100644 +index db29211..dd869ff 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp -@@ -1611,6 +1611,7 @@ static void pathArc(QPainterPath &path, +@@ -1615,6 +1615,7 @@ static void pathArc(QPainterPath &path, static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) { @@ -33,17 +32,17 @@ index 08ee7819..db21d5f4 100644 qreal x0 = 0, y0 = 0; // starting point qreal x = 0, y = 0; // current point char lastMode = 0; -@@ -1618,7 +1619,8 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1622,7 +1623,8 @@ static bool parsePathDataFast(const QStr const QChar *str = dataStr.constData(); const QChar *end = str + dataStr.size(); - while (str != end) { + bool ok = true; + while (ok && str != end) { - while (str->isSpace()) + while (str->isSpace() && (str + 1) != end) ++str; QChar pathElem = *str; -@@ -1632,14 +1634,13 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1636,14 +1638,13 @@ static bool parsePathDataFast(const QStr arg.append(0);//dummy const qreal *num = arg.constData(); int count = arg.count(); @@ -60,7 +59,7 @@ index 08ee7819..db21d5f4 100644 break; } x = x0 = num[0] + offsetX; -@@ -1656,8 +1657,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1660,8 +1661,7 @@ static bool parsePathDataFast(const QStr break; case 'M': { if (count < 2) { @@ -70,7 +69,7 @@ index 08ee7819..db21d5f4 100644 break; } x = x0 = num[0]; -@@ -1683,8 +1683,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1687,8 +1687,7 @@ static bool parsePathDataFast(const QStr break; case 'l': { if (count < 2) { @@ -80,7 +79,7 @@ index 08ee7819..db21d5f4 100644 break; } x = num[0] + offsetX; -@@ -1697,8 +1696,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1701,8 +1700,7 @@ static bool parsePathDataFast(const QStr break; case 'L': { if (count < 2) { @@ -90,7 +89,7 @@ index 08ee7819..db21d5f4 100644 break; } x = num[0]; -@@ -1738,8 +1736,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1742,8 +1740,7 @@ static bool parsePathDataFast(const QStr break; case 'c': { if (count < 6) { @@ -100,7 +99,7 @@ index 08ee7819..db21d5f4 100644 break; } QPointF c1(num[0] + offsetX, num[1] + offsetY); -@@ -1755,8 +1752,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1759,8 +1756,7 @@ static bool parsePathDataFast(const QStr } case 'C': { if (count < 6) { @@ -110,7 +109,7 @@ index 08ee7819..db21d5f4 100644 break; } QPointF c1(num[0], num[1]); -@@ -1772,8 +1768,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1776,8 +1772,7 @@ static bool parsePathDataFast(const QStr } case 's': { if (count < 4) { @@ -120,7 +119,7 @@ index 08ee7819..db21d5f4 100644 break; } QPointF c1; -@@ -1794,8 +1789,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1798,8 +1793,7 @@ static bool parsePathDataFast(const QStr } case 'S': { if (count < 4) { @@ -130,7 +129,7 @@ index 08ee7819..db21d5f4 100644 break; } QPointF c1; -@@ -1816,8 +1810,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1820,8 +1814,7 @@ static bool parsePathDataFast(const QStr } case 'q': { if (count < 4) { @@ -140,7 +139,7 @@ index 08ee7819..db21d5f4 100644 break; } QPointF c(num[0] + offsetX, num[1] + offsetY); -@@ -1832,8 +1825,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1836,8 +1829,7 @@ static bool parsePathDataFast(const QStr } case 'Q': { if (count < 4) { @@ -150,7 +149,7 @@ index 08ee7819..db21d5f4 100644 break; } QPointF c(num[0], num[1]); -@@ -1848,8 +1840,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1852,8 +1844,7 @@ static bool parsePathDataFast(const QStr } case 't': { if (count < 2) { @@ -160,7 +159,7 @@ index 08ee7819..db21d5f4 100644 break; } QPointF e(num[0] + offsetX, num[1] + offsetY); -@@ -1869,8 +1860,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1873,8 +1864,7 @@ static bool parsePathDataFast(const QStr } case 'T': { if (count < 2) { @@ -170,7 +169,7 @@ index 08ee7819..db21d5f4 100644 break; } QPointF e(num[0], num[1]); -@@ -1890,8 +1880,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1894,8 +1884,7 @@ static bool parsePathDataFast(const QStr } case 'a': { if (count < 7) { @@ -180,7 +179,7 @@ index 08ee7819..db21d5f4 100644 break; } qreal rx = (*num++); -@@ -1913,8 +1902,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1917,8 +1906,7 @@ static bool parsePathDataFast(const QStr break; case 'A': { if (count < 7) { @@ -190,7 +189,7 @@ index 08ee7819..db21d5f4 100644 break; } qreal rx = (*num++); -@@ -1935,12 +1923,15 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) +@@ -1939,12 +1927,15 @@ static bool parsePathDataFast(const QStr } break; default: @@ -208,7 +207,7 @@ index 08ee7819..db21d5f4 100644 } static bool parseStyle(QSvgNode *node, -@@ -2976,8 +2967,8 @@ static QSvgNode *createPathNode(QSvgNode *parent, +@@ -2980,8 +2971,8 @@ static QSvgNode *createPathNode(QSvgNode QPainterPath qpath; qpath.setFillRule(Qt::WindingFill); @@ -220,4 +219,3 @@ index 08ee7819..db21d5f4 100644 QSvgNode *path = new QSvgPath(parent, qpath); return path; - diff --git a/qt5-qtsvg.spec b/qt5-qtsvg.spec index f0bc0da..7024088 100644 --- a/qt5-qtsvg.spec +++ b/qt5-qtsvg.spec @@ -1,13 +1,14 @@ Name: qt5-qtsvg -Version: 5.11.1 -Release: 6 +Version: 5.15.2 +Release: 1 Summary: Qt GUI toolkit for rendering and displaying SVG License: LGPLv2 with exceptions or GPLv3 with exceptions Url: http://www.qt.io -Source0: https://download.qt.io/new_archive/qt/5.11/%{version}/submodules/qtsvg-everywhere-src-%{version}.tar.xz -Patch0001: qtsvg-opensource-src-5.6.0-beta1-example-install.patch -Patch0002: CVE-2021-45930.patch -BuildRequires: qt5-qtbase-devel >= %{version} pkgconfig(zlib) qt5-qtbase-private-devel +Source0: https://download.qt.io/official_releases/qt/5.15/%{version}/submodules/qtsvg-everywhere-src-%{version}.tar.xz +Patch0: qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch +Patch1: CVE-2021-45930.patch + +BuildRequires: qt5-qtbase-devel >= %{version} pkgconfig(zlib) qt5-qtbase-private-devel make %{?_qt5:Requires: %{_qt5} = %{_qt5_version}} %description @@ -52,6 +53,7 @@ popd %dir %{_qt5_libdir}/cmake/Qt5Svg/ %{_qt5_libdir}/{libQt5Svg.so.5*,cmake/Qt5Svg/Qt5Svg_*Plugin.cmake} %{_qt5_plugindir}/{iconengines/libqsvgicon.so,imageformats/libqsvg.so} +%{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QSvg*Plugin.cmake %files devel %{_qt5_examplesdir}/ @@ -61,6 +63,9 @@ popd %{_qt5_archdatadir}/mkspecs/modules/qt_lib_svg*.pri %changelog +* Tue Jan 18 2022 liyanan - 5.15.2-1 +- update to upstream version 5.15.2 + * Thu Jan 13 2022 wangkai - 5.11.1-6 - Fix CVE-2021-45930 diff --git a/qt5-qtsvg.yaml b/qt5-qtsvg.yaml index 8c797f1..154a0c5 100644 --- a/qt5-qtsvg.yaml +++ b/qt5-qtsvg.yaml @@ -1,4 +1,4 @@ version_control: git src_repo: https://code.qt.io/qt/qtsvg.git -tag_prefix: ^v -seperator: . +tag_prefix: "^v" +separator: "." diff --git a/qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch b/qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch new file mode 100644 index 0000000..83db864 --- /dev/null +++ b/qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch @@ -0,0 +1,30 @@ +diff -up qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp.orig qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp +--- qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp.orig 2020-10-27 09:02:11.000000000 +0100 ++++ qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp 2021-03-09 17:48:50.187425243 +0100 +@@ -65,6 +65,7 @@ + #include "private/qmath_p.h" + + #include "float.h" ++#include + + QT_BEGIN_NAMESPACE + +@@ -672,6 +673,9 @@ static qreal toDouble(const QChar *&str) + val = -val; + } else { + val = QByteArray::fromRawData(temp, pos).toDouble(); ++ // Do not tolerate values too wild to be represented normally by floats ++ if (std::fpclassify(float(val)) != FP_NORMAL) ++ val = 0; + } + return val; + +@@ -3043,6 +3047,8 @@ static QSvgStyleProperty *createRadialGr + ncy = toDouble(cy); + if (!r.isEmpty()) + nr = toDouble(r); ++ if (nr < 0.5) ++ nr = 0.5; + + qreal nfx = ncx; + if (!fx.isEmpty()) diff --git a/qtsvg-everywhere-src-5.11.1.tar.xz b/qtsvg-everywhere-src-5.11.1.tar.xz deleted file mode 100644 index 9d71de0..0000000 Binary files a/qtsvg-everywhere-src-5.11.1.tar.xz and /dev/null differ diff --git a/qtsvg-everywhere-src-5.15.2.tar.xz b/qtsvg-everywhere-src-5.15.2.tar.xz new file mode 100644 index 0000000..eb11c2d Binary files /dev/null and b/qtsvg-everywhere-src-5.15.2.tar.xz differ diff --git a/qtsvg-opensource-src-5.6.0-beta1-example-install.patch b/qtsvg-opensource-src-5.6.0-beta1-example-install.patch deleted file mode 100644 index d2eb649..0000000 --- a/qtsvg-opensource-src-5.6.0-beta1-example-install.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/examples/svg/richtext/textobject/textobject.pro b/examples/svg/richtext/textobject/textobject.pro -index 8892ae7..f9ec7c6 100644 ---- a/examples/svg/richtext/textobject/textobject.pro -+++ b/examples/svg/richtext/textobject/textobject.pro -@@ -14,6 +14,6 @@ INSTALLS += target - - wince*{ - filesToDeploy.files = files/*.svg -- filesToDeploy.path = files -+ filesToDeploy.path = $$[QT_INSTALL_EXAMPLES]/svg/richtext/textobject/files - DEPLOYMENT += filesToDeploy - }