diff --git a/.gitignore b/.gitignore index b9a5a49..60568f2 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/qtsvg-everywhere-src-5.15.2.tar.xz +SOURCES/qtsvg-everywhere-opensource-src-5.15.3.tar.xz diff --git a/.qt5-qtsvg.metadata b/.qt5-qtsvg.metadata index b640080..69f7c04 100644 --- a/.qt5-qtsvg.metadata +++ b/.qt5-qtsvg.metadata @@ -1 +1 @@ -08531b47924078cbde6dfbf56da83651d58f6a13 SOURCES/qtsvg-everywhere-src-5.15.2.tar.xz +098a144b80997400be2f13ef5b9ddb286e0274c7 SOURCES/qtsvg-everywhere-opensource-src-5.15.3.tar.xz diff --git a/SOURCES/qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch b/SOURCES/qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch index 83db864..bb9610c 100644 --- a/SOURCES/qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch +++ b/SOURCES/qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch @@ -1,25 +1,18 @@ -diff -up qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp.orig qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp ---- qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp.orig 2020-10-27 09:02:11.000000000 +0100 -+++ qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp 2021-03-09 17:48:50.187425243 +0100 -@@ -65,6 +65,7 @@ - #include "private/qmath_p.h" - - #include "float.h" -+#include - - QT_BEGIN_NAMESPACE - -@@ -672,6 +673,9 @@ static qreal toDouble(const QChar *&str) +diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp +index b3d9aaf..9dac05c 100644 +--- a/src/svg/qsvghandler.cpp ++++ b/src/svg/qsvghandler.cpp +@@ -673,7 +673,8 @@ static qreal toDouble(const QChar *&str) val = -val; } else { val = QByteArray::fromRawData(temp, pos).toDouble(); +- if (qFpClassify(val) != FP_NORMAL) + // Do not tolerate values too wild to be represented normally by floats -+ if (std::fpclassify(float(val)) != FP_NORMAL) -+ val = 0; ++ if (qFpClassify(float(val)) != FP_NORMAL) + val = 0; } return val; - -@@ -3043,6 +3047,8 @@ static QSvgStyleProperty *createRadialGr +@@ -3046,6 +3047,8 @@ static QSvgStyleProperty *createRadialGradientNode(QSvgNode *node, ncy = toDouble(cy); if (!r.isEmpty()) nr = toDouble(r); diff --git a/SOURCES/qtsvg-5.15.2-do-strict-error-checking-when-parsing-path-nodes.patch b/SOURCES/qtsvg-5.15.2-do-strict-error-checking-when-parsing-path-nodes.patch new file mode 100644 index 0000000..d47d0e3 --- /dev/null +++ b/SOURCES/qtsvg-5.15.2-do-strict-error-checking-when-parsing-path-nodes.patch @@ -0,0 +1,198 @@ +diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp +index b3d9aaf..402a71f 100644 +--- a/src/svg/qsvghandler.cpp ++++ b/src/svg/qsvghandler.cpp +@@ -1614,6 +1614,7 @@ static void pathArc(QPainterPath &path, + + static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + { ++ const int maxElementCount = 0x7fff; // Assume file corruption if more path elements than this + qreal x0 = 0, y0 = 0; // starting point + qreal x = 0, y = 0; // current point + char lastMode = 0; +@@ -1621,7 +1622,8 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + const QChar *str = dataStr.constData(); + const QChar *end = str + dataStr.size(); + +- while (str != end) { ++ bool ok = true; ++ while (ok && str != end) { + while (str->isSpace() && (str + 1) != end) + ++str; + QChar pathElem = *str; +@@ -1635,14 +1637,13 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + arg.append(0);//dummy + const qreal *num = arg.constData(); + int count = arg.count(); +- while (count > 0) { ++ while (ok && count > 0) { + qreal offsetX = x; // correction offsets + qreal offsetY = y; // for relative commands + switch (pathElem.unicode()) { + case 'm': { + if (count < 2) { +- num++; +- count--; ++ ok = false; + break; + } + x = x0 = num[0] + offsetX; +@@ -1659,8 +1660,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + break; + case 'M': { + if (count < 2) { +- num++; +- count--; ++ ok = false; + break; + } + x = x0 = num[0]; +@@ -1686,8 +1686,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + break; + case 'l': { + if (count < 2) { +- num++; +- count--; ++ ok = false; + break; + } + x = num[0] + offsetX; +@@ -1700,8 +1699,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + break; + case 'L': { + if (count < 2) { +- num++; +- count--; ++ ok = false; + break; + } + x = num[0]; +@@ -1741,8 +1739,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + break; + case 'c': { + if (count < 6) { +- num += count; +- count = 0; ++ ok = false; + break; + } + QPointF c1(num[0] + offsetX, num[1] + offsetY); +@@ -1758,8 +1755,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + } + case 'C': { + if (count < 6) { +- num += count; +- count = 0; ++ ok = false; + break; + } + QPointF c1(num[0], num[1]); +@@ -1775,8 +1771,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + } + case 's': { + if (count < 4) { +- num += count; +- count = 0; ++ ok = false; + break; + } + QPointF c1; +@@ -1797,8 +1792,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + } + case 'S': { + if (count < 4) { +- num += count; +- count = 0; ++ ok = false; + break; + } + QPointF c1; +@@ -1819,8 +1813,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + } + case 'q': { + if (count < 4) { +- num += count; +- count = 0; ++ ok = false; + break; + } + QPointF c(num[0] + offsetX, num[1] + offsetY); +@@ -1835,8 +1828,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + } + case 'Q': { + if (count < 4) { +- num += count; +- count = 0; ++ ok = false; + break; + } + QPointF c(num[0], num[1]); +@@ -1851,8 +1843,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + } + case 't': { + if (count < 2) { +- num += count; +- count = 0; ++ ok = false; + break; + } + QPointF e(num[0] + offsetX, num[1] + offsetY); +@@ -1872,8 +1863,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + } + case 'T': { + if (count < 2) { +- num += count; +- count = 0; ++ ok = false; + break; + } + QPointF e(num[0], num[1]); +@@ -1893,8 +1883,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + } + case 'a': { + if (count < 7) { +- num += count; +- count = 0; ++ ok = false; + break; + } + qreal rx = (*num++); +@@ -1916,8 +1905,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + break; + case 'A': { + if (count < 7) { +- num += count; +- count = 0; ++ ok = false; + break; + } + qreal rx = (*num++); +@@ -1938,12 +1926,15 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + } + break; + default: +- return false; ++ ok = false; ++ break; + } + lastMode = pathElem.toLatin1(); ++ if (path.elementCount() > maxElementCount) ++ ok = false; + } + } +- return true; ++ return ok; + } + + static bool parseStyle(QSvgNode *node, +@@ -2979,8 +2970,8 @@ static QSvgNode *createPathNode(QSvgNode *parent, + + QPainterPath qpath; + qpath.setFillRule(Qt::WindingFill); +- //XXX do error handling +- parsePathDataFast(data, qpath); ++ if (!parsePathDataFast(data, qpath)) ++ qCWarning(lcSvgHandler, "Invalid path data; path truncated."); + + QSvgNode *path = new QSvgPath(parent, qpath); + return path; diff --git a/SOURCES/qtsvg-do-stricter-error-checking-when-parsing-path-nodes.patch b/SOURCES/qtsvg-do-stricter-error-checking-when-parsing-path-nodes.patch deleted file mode 100644 index 274cf43..0000000 --- a/SOURCES/qtsvg-do-stricter-error-checking-when-parsing-path-nodes.patch +++ /dev/null @@ -1,224 +0,0 @@ -From 5b9285c34731e67f9f1d61ec804740991f2a0380 Mon Sep 17 00:00:00 2001 -From: Eirik Aavitsland -Date: Mon, 25 Oct 2021 14:17:55 +0200 -Subject: [PATCH] Do stricter error checking when parsing path nodes -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The SVG spec mandates that path parsing should terminate on the first -error encountered, and an error be reported. To improve the handling -of corrupt files, implement such error handling, and also limit the -number of QPainterPath elements to a reasonable range. - -Fixes: QTBUG-96044 -Pick-to: 6.2 5.15 5.12 -Change-Id: Ic5e65d6b658516d6f1317c72de365c8c7ad81891 -Reviewed-by: Allan Sandfeld Jensen -Reviewed-by: Robert Löhning -(cherry picked from commit 36cfd9efb9b22b891adee9c48d30202289cfa620) ---- - src/svg/qsvghandler.cpp | 59 +++++++++++++++++------------------------ - 1 file changed, 25 insertions(+), 34 deletions(-) - -diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp -index b542089..2ea80ed 100644 ---- a/src/svg/qsvghandler.cpp -+++ b/src/svg/qsvghandler.cpp -@@ -1627,6 +1627,7 @@ static void pathArc(QPainterPath &path, - - static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - { -+ const int maxElementCount = 0x7fff; // Assume file corruption if more path elements than this - qreal x0 = 0, y0 = 0; // starting point - qreal x = 0, y = 0; // current point - char lastMode = 0; -@@ -1634,7 +1635,8 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - const QChar *str = dataStr.constData(); - const QChar *end = str + dataStr.size(); - -- while (str != end) { -+ bool ok = true; -+ while (ok && str != end) { - while (str->isSpace() && (str + 1) != end) - ++str; - QChar pathElem = *str; -@@ -1651,14 +1653,13 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - arg.append(0);//dummy - const qreal *num = arg.constData(); - int count = arg.count(); -- while (count > 0) { -+ while (ok && count > 0) { - qreal offsetX = x; // correction offsets - qreal offsetY = y; // for relative commands - switch (pathElem.unicode()) { - case 'm': { - if (count < 2) { -- num++; -- count--; -+ ok = false; - break; - } - x = x0 = num[0] + offsetX; -@@ -1675,8 +1676,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - break; - case 'M': { - if (count < 2) { -- num++; -- count--; -+ ok = false; - break; - } - x = x0 = num[0]; -@@ -1702,8 +1702,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - break; - case 'l': { - if (count < 2) { -- num++; -- count--; -+ ok = false; - break; - } - x = num[0] + offsetX; -@@ -1716,8 +1715,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - break; - case 'L': { - if (count < 2) { -- num++; -- count--; -+ ok = false; - break; - } - x = num[0]; -@@ -1757,8 +1755,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - break; - case 'c': { - if (count < 6) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c1(num[0] + offsetX, num[1] + offsetY); -@@ -1774,8 +1771,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 'C': { - if (count < 6) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c1(num[0], num[1]); -@@ -1791,8 +1787,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 's': { - if (count < 4) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c1; -@@ -1813,8 +1808,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 'S': { - if (count < 4) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c1; -@@ -1835,8 +1829,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 'q': { - if (count < 4) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c(num[0] + offsetX, num[1] + offsetY); -@@ -1851,8 +1844,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 'Q': { - if (count < 4) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c(num[0], num[1]); -@@ -1867,8 +1859,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 't': { - if (count < 2) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF e(num[0] + offsetX, num[1] + offsetY); -@@ -1888,8 +1879,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 'T': { - if (count < 2) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF e(num[0], num[1]); -@@ -1909,8 +1899,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 'a': { - if (count < 7) { -- num += count; -- count = 0; -+ ok = false; - break; - } - qreal rx = (*num++); -@@ -1932,8 +1921,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - break; - case 'A': { - if (count < 7) { -- num += count; -- count = 0; -+ ok = false; - break; - } - qreal rx = (*num++); -@@ -1954,12 +1942,15 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - break; - default: -- return false; -+ ok = false; -+ break; - } - lastMode = pathElem.toLatin1(); -+ if (path.elementCount() > maxElementCount) -+ ok = false; - } - } -- return true; -+ return ok; - } - - static bool parseStyle(QSvgNode *node, -@@ -2997,8 +2988,8 @@ static QSvgNode *createPathNode(QSvgNode *parent, - - QPainterPath qpath; - qpath.setFillRule(Qt::WindingFill); -- //XXX do error handling -- parsePathDataFast(data, qpath); -+ if (!parsePathDataFast(data, qpath)) -+ qCWarning(lcSvgHandler, "Invalid path data; path truncated."); - - QSvgNode *path = new QSvgPath(parent, qpath); - return path; --- -GitLab - diff --git a/SPECS/qt5-qtsvg.spec b/SPECS/qt5-qtsvg.spec index b5f8488..52e502b 100644 --- a/SPECS/qt5-qtsvg.spec +++ b/SPECS/qt5-qtsvg.spec @@ -4,20 +4,18 @@ Summary: Qt5 - Support for rendering and displaying SVG Name: qt5-%{qt_module} -Version: 5.15.2 -Release: 8%{?dist} +Version: 5.15.3 +Release: 1%{?dist} # See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details License: LGPLv2 with exceptions or GPLv3 with exceptions Url: http://www.qt.io %global majmin %(echo %{version} | cut -d. -f1-2) -Source0: https://download.qt.io/official_releases/qt/%{majmin}/%{version}/submodules/%{qt_module}-everywhere-src-%{version}.tar.xz +Source0: https://download.qt.io/official_releases/qt/%{majmin}/%{version}/submodules/%{qt_module}-everywhere-opensource-src-%{version}.tar.xz # upstream fix Patch0: qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch - -# CVE-2021-45930 qt5-qtsvg: qt: out-of-bounds write may lead to DoS -Patch1: qtsvg-do-stricter-error-checking-when-parsing-path-nodes.patch +Patch1: qtsvg-5.15.2-do-strict-error-checking-when-parsing-path-nodes.patch BuildRequires: make BuildRequires: qt5-qtbase-devel >= %{version} @@ -113,6 +111,10 @@ popd %endif %changelog +* Mon Mar 28 2022 Jan Grulich - 5.15.3-1 +- 5.15.3 + Resolves: bz#2061369 + * Tue Jan 11 2022 Jan Grulich - 5.15.2-8 - Fix out-of-bound write that may lead to DoS Resolves: bz#2038488