qt-CVE-2023-43114

2023-11-27 14:35:44 +08:00 · 2023-11-27 14:35:44 +08:00 · d5b54ac281
commit d5b54ac281
parent 1a29d4b9e1
2 changed files with 133 additions and 1 deletions
--- a/qt-CVE-2023-43114.patch
+++ b/qt-CVE-2023-43114.patch
@ -0,0 +1,125 @@
+From 7edcbe0e7db0c292ceac044aacc598bb250d32f2 Mon Sep 17 00:00:00 2001
+From: hua_yadong <huayadong@kylinos.cn>
+Date: Mon, 27 Nov 2023 14:25:31 +0800
+Subject: [PATCH] qt-CVE-2023-43114
+
+---
+ src/gui/text/qfontdatabase_win.cpp | 65 +++++++++++++++++++++++-------
+ 1 file changed, 50 insertions(+), 15 deletions(-)
+
+diff --git a/src/gui/text/qfontdatabase_win.cpp b/src/gui/text/qfontdatabase_win.cpp
+index 10670b1b..7d40b605 100644
+--- a/src/gui/text/qfontdatabase_win.cpp
+++ b/src/gui/text/qfontdatabase_win.cpp
+@@ -1140,33 +1140,67 @@ typedef BOOL (WINAPI *PtrRemoveFontMemResourceEx)(HANDLE);
+ static QList<quint32> getTrueTypeFontOffsets(const uchar *fontData)
+ {
+     QList<quint32> offsets;
+-    const quint32 headerTag = *reinterpret_cast<const quint32 *>(fontData);
+    if (fileEndSentinel - fontData < 12) {
+        qCWarning(lcQpaFonts) << "Corrupted font data detected";
+        return offsets;
+    }
+
+    const quint32 headerTag = qFromUnaligned<quint32>(fontData);
+     if (headerTag != MAKE_TAG('t', 't', 'c', 'f')) {
+         if (headerTag != MAKE_TAG(0, 1, 0, 0)
+             && headerTag != MAKE_TAG('O', 'T', 'T', 'O')
+             && headerTag != MAKE_TAG('t', 'r', 'u', 'e')
+-            && headerTag != MAKE_TAG('t', 'y', 'p', '1'))
+            && headerTag != MAKE_TAG('t', 'y', 'p', '1')) {
+             return offsets;
+        }
+         offsets << 0;
+         return offsets;
+     }
+
+    const quint32 maximumNumFonts = 0xffff;
+     const quint32 numFonts = qFromBigEndian<quint32>(fontData + 8);
+-    for (uint i = 0; i < numFonts; ++i) {
+-        offsets << qFromBigEndian<quint32>(fontData + 12 + i * 4);
+    if (numFonts > maximumNumFonts) {
+        qCWarning(lcQpaFonts) << "Font collection of" << numFonts << "fonts is too large. Aborting.";
+        return offsets;
+    }
+
+    if (quintptr(fileEndSentinel - fontData) > 12 + (numFonts - 1) * 4) {
+        for (quint32 i = 0; i < numFonts; ++i)
+            offsets << qFromBigEndian<quint32>(fontData + 12 + i * 4);
+    } else {
+        qCWarning(lcQpaFonts) << "Corrupted font data detected";
+     }
+
+     return offsets;
+ }
+ 
+-static void getFontTable(const uchar *fileBegin, const uchar *data, quint32 tag, const uchar **table, quint32 *length)
+static void getFontTable(const uchar *fileBegin, const uchar *fileEndSentinel, const uchar *data, quint32 tag, const uchar **table, quint32 *length)
+ {
+-    const quint16 numTables = qFromBigEndian<quint16>(data + 4);
+-    for (uint i = 0; i < numTables; ++i) {
+-        const quint32 offset = 12 + 16 * i;
+-        if (*reinterpret_cast<const quint32 *>(data + offset) == tag) {
+-            *table = fileBegin + qFromBigEndian<quint32>(data + offset + 8);
+-            *length = qFromBigEndian<quint32>(data + offset + 12);
+-            return;
+    if (fileEndSentinel - data >= 6) {
+        const quint16 numTables = qFromBigEndian<quint16>(data + 4);
+        if (fileEndSentinel - data >= 28 + 16 * (numTables - 1)) {
+            for (quint32 i = 0; i < numTables; ++i) {
+                const quint32 offset = 12 + 16 * i;
+                if (qFromUnaligned<quint32>(data + offset) == tag) {
+                    const quint32 tableOffset = qFromBigEndian<quint32>(data + offset + 8);
+                    if (quintptr(fileEndSentinel - fileBegin) <= tableOffset) {
+                        qCWarning(lcQpaFonts) << "Corrupted font data detected";
+                        break;
+                    }
+                    *table = fileBegin + tableOffset;
+                    *length = qFromBigEndian<quint32>(data + offset + 12);
+                    if (quintptr(fileEndSentinel - *table) < *length) {
+                        qCWarning(lcQpaFonts) << "Corrupted font data detected";
+                        break;
+                    }
+                    return;
+                }
+            }
+        } else {
+            qCWarning(lcQpaFonts) << "Corrupted font data detected";
+         }
+    } else {
+        qCWarning(lcQpaFonts) << "Corrupted font data detected";
+     }
+     *table = 0;
+     *length = 0;
+@@ -1176,8 +1210,9 @@ static void getFontTable(const uchar *fileBegin, const uchar *data, quint32 tag,
+ static void getFamiliesAndSignatures(const QByteArray &fontData, QFontDatabasePrivate::ApplicationFont *appFont)
+ {
+     const uchar *data = reinterpret_cast<const uchar *>(fontData.constData());
+    const uchar *dataEndSentinel = data + fontData.size();
+ 
+-    QList<quint32> offsets = getTrueTypeFontOffsets(data);
+    QList<quint32> offsets = getTrueTypeFontOffsets(data, dataEndSentinel);
+     if (offsets.isEmpty())
+         return;
+ 
+@@ -1185,7 +1220,7 @@ static void getFamiliesAndSignatures(const QByteArray &fontData, QFontDatabasePr
+         const uchar *font = data + offsets.at(i);
+         const uchar *table;
+         quint32 length;
+-        getFontTable(data, font, MAKE_TAG('n', 'a', 'm', 'e'), &table, &length);
+        getFontTable(data, dataEndSentinel, font, MAKE_TAG('n', 'a', 'm', 'e'), &table, &length);
+         if (!table)
+             continue;
+         QString name = getEnglishName(table, length);
+@@ -1194,7 +1229,7 @@ static void getFamiliesAndSignatures(const QByteArray &fontData, QFontDatabasePr
+ 
+         appFont->families << name;
+         FONTSIGNATURE signature;
+-        getFontTable(data, font, MAKE_TAG('O', 'S', '/', '2'), &table, &length);
+        getFontTable(data, dataEndSentinel, font, MAKE_TAG('O', 'S', '/', '2'), &table, &length);
+         if (table && length >= 86) {
+             // See also qfontdatabase_mac.cpp, offsets taken from OS/2 table in the TrueType spec
+             signature.fsUsb[0] = qFromBigEndian<quint32>(table + 42);
+-- 
+2.41.0
+
--- a/qt.spec
+++ b/qt.spec
@ -13,7 +13,7 @@
 Name:           qt
 Epoch:          1
 Version:        4.8.7
-Release:        59
+Release:        60
 Summary:        A software toolkit for developing applications
 License:        (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
 URL:            http://qt-project.org/
@ -92,6 +92,7 @@ Patch6007:      CVE-2023-32573.patch
 Patch6008:      qt-CVE-2023-34410.patch
 Patch6009:      qt-CVE-2023-38197.patch
 Patch6010:      qt-CVE-2023-37369.patch 
+Patch6011:      qt-CVE-2023-43114.patch 

 BuildRequires:  cups-devel desktop-file-utils gcc-c++ libjpeg-devel findutils libmng-devel libtiff-devel pkgconfig pkgconfig(alsa)
 BuildRequires:  pkgconfig(dbus-1) pkgconfig(fontconfig) pkgconfig(glib-2.0) pkgconfig(icu-i18n) openssl-devel pkgconfig(libpng)
@ -469,6 +470,12 @@ fi
 %{_qt4_prefix}/examples/

 %changelog
+* Mon Nov 27 2023 hua_yadong<huayadong@kylinos.cn> - 1:4.8.7-60
+- Type:cves
+- ID:CVE-2023-43114
+- SUG:NA
+- DESC:fix CVE-2023-43114
+
 * Sat Nov 25 2023 hua_yadong<huayadong@kylinos.cn> - 1:4.8.7-59
 - Type:cves
 - ID:CVE-2023-37369