qt-CVE-2023-37369

qt-CVE-2023-37369.patch

@@ -0,0 +1,206 @@
+From 15000da32ac2c10a2bd81232df7708cdf40db7bc Mon Sep 17 00:00:00 2001
+From: hua_yadong <huayadong@kylinos.cn>
+Date: Sat, 25 Nov 2023 12:16:28 +0800
+Subject: [PATCH] qt-CVE-2023-37369
+
+---
+ src/corelib/xml/qxmlstream.cpp | 34 ++++++++++++++++++++++------------
+ src/corelib/xml/qxmlstream.g   | 25 ++++++++++++++++++++++---
+ src/corelib/xml/qxmlstream_p.h | 25 ++++++++++++++++++++++---
+ 3 files changed, 66 insertions(+), 18 deletions(-)
+
+diff --git a/src/corelib/xml/qxmlstream.cpp b/src/corelib/xml/qxmlstream.cpp
+index 5ade4cf2..1621aea9 100644
+--- a/src/corelib/xml/qxmlstream.cpp
++++ b/src/corelib/xml/qxmlstream.cpp
+@@ -1329,7 +1329,9 @@ inline int QXmlStreamReaderPrivate::fastScanContentCharList()
+     return n;
+ }
+ 
+-inline int QXmlStreamReaderPrivate::fastScanName(int *prefix)
++// Fast scan an XML attribute name (e.g. "xml:lang").
++inline QXmlStreamReaderPrivate::FastScanNameResult
++QXmlStreamReaderPrivate::fastScanName(Value *val)
+ {
+     int n = 0;
+     ushort c;
+@@ -1361,23 +1363,23 @@ inline int QXmlStreamReaderPrivate::fastScanName(int *prefix)
+         case '+':
+         case '*':
+             putChar(c);
+-            if (prefix && *prefix == n+1) {
+-                *prefix = 0;
++            if (val && val->prefix == n + 1) {
++                val->prefix = 0;
+                 putChar(':');
+                 --n;
+             }
+-            return n;
++            return FastScanNameResult(n);
+         case ':':
+-            if (prefix) {
+-                if (*prefix == 0) {
+-                    *prefix = n+2;
++            if (val) {
++                if (val->prefix == 0) {
++                    val->prefix = n + 2;
+                 } else { // only one colon allowed according to the namespace spec.
+                     putChar(c);
+-                    return n;
++                    return FastScanNameResult(n);
+                 }
+             } else {
+                 putChar(c);
+-                return n;
++                return FastScanNameResult(n);
+             }
+             // fall through
+         default:
+@@ -1386,12 +1388,12 @@ inline int QXmlStreamReaderPrivate::fastScanName(int *prefix)
+         }
+     }
+ 
+-    if (prefix)
+-        *prefix = 0;
++    if (val)
++        val->prefix = 0;
+     int pos = textBuffer.size() - n;
+     putString(textBuffer, pos);
+     textBuffer.resize(pos);
+-    return 0;
++    return FastScanNameResult(0);
+ }
+ 
+ enum NameChar { NameBeginning, NameNotBeginning, NotName };
+@@ -1898,6 +1900,14 @@ void QXmlStreamReaderPrivate::raiseWellFormedError(const QString &message)
+     raiseError(QXmlStreamReader::NotWellFormedError, message);
+ }
+ 
++void QXmlStreamReaderPrivate::raiseNamePrefixTooLongError()
++{
++    // TODO: add a ImplementationLimitsExceededError and use it instead
++    raiseError(QXmlStreamReader::NotWellFormedError,
++               QXmlStream::tr("Length of XML attribute name exceeds implemnetation limits (4KiB "
++                              "characters)."));
++}
++
+ void QXmlStreamReaderPrivate::parseError()
+ {
+ 
+diff --git a/src/corelib/xml/qxmlstream.g b/src/corelib/xml/qxmlstream.g
+index 094183b8..9de293f4 100644
+--- a/src/corelib/xml/qxmlstream.g
++++ b/src/corelib/xml/qxmlstream.g
+@@ -492,7 +492,16 @@ public:
+     int fastScanLiteralContent();
+     int fastScanSpace();
+     int fastScanContentCharList();
+-    int fastScanName(int *prefix = 0);
++
++    struct FastScanNameResult {
++        FastScanNameResult() : ok(false) {}
++        explicit FastScanNameResult(int len) : addToLen(len), ok(true) { }
++        operator bool() { return ok; }
++        int operator*() { Q_ASSERT(ok); return addToLen; }
++        int addToLen;
++        bool ok;
++    };
++    FastScanNameResult fastScanName(Value *val = NULL);
+     inline int fastScanNMTOKEN();
+ 
+ 
+@@ -501,6 +510,7 @@ public:
+ 
+     void raiseError(QXmlStreamReader::Error error, const QString& message = QString());
+     void raiseWellFormedError(const QString &message);
++    void raiseNamePrefixTooLongError();
+ 
+     QXmlStreamEntityResolver *entityResolver;
+ 
+@@ -1784,7 +1794,12 @@ space_opt ::= space;
+ qname ::= LETTER;
+ /.
+         case $rule_number: {
+-            sym(1).len += fastScanName(&sym(1).prefix);
++            Value &val = sym(1);
++            if (FastScanNameResult res = fastScanName(&val))
++                val.len += *res;
++	    else
++                return false;
++                
+             if (atEnd) {
+                 resume($rule_number);
+                 return false;
+@@ -1795,7 +1810,11 @@ qname ::= LETTER;
+ name ::= LETTER;
+ /.
+         case $rule_number:
+-            sym(1).len += fastScanName();
++            if (FastScanNameResult res = fastScanName(&val))
++                sym(1).len += *res;
++	    else
++                return false;
++
+             if (atEnd) {
+                 resume($rule_number);
+                 return false;
+diff --git a/src/corelib/xml/qxmlstream_p.h b/src/corelib/xml/qxmlstream_p.h
+index 055902a1..dcf2a7d9 100644
+--- a/src/corelib/xml/qxmlstream_p.h
++++ b/src/corelib/xml/qxmlstream_p.h
+@@ -997,7 +997,16 @@ public:
+     int fastScanLiteralContent();
+     int fastScanSpace();
+     int fastScanContentCharList();
+-    int fastScanName(int *prefix = 0);
++
++    struct FastScanNameResult {
++        FastScanNameResult() : ok(false) {}
++        explicit FastScanNameResult(int len) : addToLen(len), ok(true) { }
++        operator bool() { return ok; }
++        int operator*() { Q_ASSERT(ok); return addToLen; }
++        int addToLen;
++        bool ok;
++    };
++    FastScanNameResult fastScanName(Value *val = NULL);
+     inline int fastScanNMTOKEN();
+ 
+ 
+@@ -1006,6 +1015,7 @@ public:
+ 
+     void raiseError(QXmlStreamReader::Error error, const QString& message = QString());
+     void raiseWellFormedError(const QString &message);
++    void raiseNamePrefixTooLongError();
+ 
+     QXmlStreamEntityResolver *entityResolver;
+ 
+@@ -1928,7 +1938,12 @@ bool QXmlStreamReaderPrivate::parse()
+         break;
+ 
+         case 262: {
+-            sym(1).len += fastScanName(&sym(1).prefix);
++            Value &val = sym(1);
++            if (FastScanNameResult res = fastScanName(&val))
++                val.len += *res;
++	    else
++                return false;
++                
+             if (atEnd) {
+                 resume(262);
+                 return false;
+@@ -1936,7 +1951,11 @@ bool QXmlStreamReaderPrivate::parse()
+         } break;
+ 
+         case 263:
+-            sym(1).len += fastScanName();
++            if (FastScanNameResult res = fastScanName())
++                sym(1).len += *res;
++	    else
++                return false;
++                
+             if (atEnd) {
+                 resume(263);
+                 return false;
+-- 
+2.41.0
+

qt.spec

@@ -13,7 +13,7 @@
 Name:           qt
 Epoch:          1
 Version:        4.8.7
-Release:        58
+Release:        59
 Summary:        A software toolkit for developing applications
 License:        (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
 URL:            http://qt-project.org/
@@ -91,6 +91,7 @@ Patch6006:      CVE-2020-0570.patch
 Patch6007:      CVE-2023-32573.patch
 Patch6008:      qt-CVE-2023-34410.patch
 Patch6009:      qt-CVE-2023-38197.patch
+Patch6010:      qt-CVE-2023-37369.patch 
 
 BuildRequires:  cups-devel desktop-file-utils gcc-c++ libjpeg-devel findutils libmng-devel libtiff-devel pkgconfig pkgconfig(alsa)
 BuildRequires:  pkgconfig(dbus-1) pkgconfig(fontconfig) pkgconfig(glib-2.0) pkgconfig(icu-i18n) openssl-devel pkgconfig(libpng)
@@ -468,6 +469,12 @@ fi
 %{_qt4_prefix}/examples/
 
 %changelog
+* Sat Nov 25 2023 hua_yadong<huayadong@kylinos.cn> - 1:4.8.7-59
+- Type:cves
+- ID:CVE-2023-37369
+- SUG:NA
+- DESC:fix CVE-2023-37369
+
 * Fri Nov 24 2023 hua_yadong<huayadong@kylinos.cn> - 1:4.8.7-58
 - Type:cves
 - ID:CVE-2023-38197