rpms / qt5-qtsvg

Clone
Source Code
GIT

Blame SOURCES/qtsvg-CVE-2021-3481-clamp-parsed-doubles-to-float-representable-values.patch

c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   70766979b9230602f4bf8104274f6b8db307fc95
  2.   SOURCES
  3.   qtsvg-CVE-2021-3481-clamp-parsed-doubles-to-float-representable-values.patch
Blob History Raw
707669 
From bfd6ee0d8cf34b63d32adf10ed93daa0086b359f Mon Sep 17 00:00:00 2001
707669 
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
707669 
Date: Thu, 04 Mar 2021 14:28:48 +0100
707669 
Subject: [PATCH] Clamp parsed doubles to float representable values
707669
707669 
Parts of our rendering assumes incoming doubles can still be sane
707669 
floats.
707669
707669 
Pick-to: 6.1 6.0 5.15 5.12
707669 
Fixes: QTBUG-91507
707669 
Change-Id: I7086a121e1b5ed47695a1251ea90e774dd8f148d
707669 
Reviewed-by: Robert Löhning <robert.loehning@qt.io>
707669 
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
707669 
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
707669 
---
707669
707669 
diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
707669 
index c937254..c88b6cc 100644
707669 
--- a/src/svg/qsvghandler.cpp
707669 
+++ b/src/svg/qsvghandler.cpp
707669 
@@ -672,6 +672,9 @@ static qreal toDouble(const QChar *&str)
707669 
             val = -val;
707669 
     } else {
707669 
         val = QByteArray::fromRawData(temp, pos).toDouble();
707669 
+        // Do not tolerate values too wild to be represented normally by floats
707669 
+        if (std::fpclassify(float(val)) != FP_NORMAL)
707669 
+            val = 0;
707669 
     }
707669 
     return val;
707669
707669 
@@ -3043,6 +3046,8 @@ static QSvgStyleProperty *createRadialGradientNode(QSvgNode *node,
707669 
         ncy = toDouble(cy);
707669 
     if (!r.isEmpty())
707669 
         nr = toDouble(r);
707669 
+    if (nr < 0.5)
707669 
+        nr = 0.5;
707669
707669 
     qreal nfx = ncx;
707669 
     if (!fx.isEmpty())

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation