packages/qt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:b3258e51153ef129d828b0c44c38639b4748b2bd
Branches Tags
packages:main
...
compare: packages:13764b512126d6d68a4071247dad7e9b24b28eba
Branches Tags
packages:main

10 Commits
b3258e5115 ... 13764b5121

Author SHA1 Message Date
openeuler-ci-bot
13764b5121
!104 [sync] PR-102: fix LTO build 
From: @openeuler-sync-bot 
Reviewed-by: @peijiankang 
Signed-off-by: @peijiankang
 2025-02-12 06:59:11 +00:00
Funda Wang
8dd0fdc669 fix LTO build 
(cherry picked from commit 87a98082c533a0ad131866e7a132c5d191e0e825)
 2025-01-23 23:20:26 +08:00
openeuler-ci-bot
96fd0b291c
!85 fix CVE-2023-43144 
From: @hua_yadong 
Reviewed-by: @peijiankang 
Signed-off-by: @peijiankang
 2023-11-27 09:55:31 +00:00
hua_yadong
d5b54ac281 qt-CVE-2023-43114 2023-11-27 14:35:44 +08:00
openeuler-ci-bot
3426e851be
!84 qt-CVE-2023-37369 
From: @hua_yadong 
Reviewed-by: @peijiankang 
Signed-off-by: @peijiankang
 2023-11-27 06:08:38 +00:00
hua_yadong
1a29d4b9e1 qt-CVE-2023-37369 2023-11-27 11:43:47 +08:00
openeuler-ci-bot
1c86244833
!72 fix qt-CVE-2023-38197 
From: @hua_yadong 
Reviewed-by: @peijiankang 
Signed-off-by: @peijiankang
 2023-11-25 06:49:13 +00:00
hua_yadong
3df6d77b4d qt-CVE-2023-38197 2023-11-25 13:10:40 +08:00
openeuler-ci-bot
86e05f4836
!67 fix CVE-2023-34410 
From: @peijiankang 
Reviewed-by: @small_leek 
Signed-off-by: @small_leek
 2023-11-02 10:18:38 +00:00
peijiankang
71497852b1 fix CVE-2023-34410 2023-11-02 11:15:20 +08:00
6 changed files with 666 additions and 29 deletions
Show Stats Expand all files Collapse all files

49
fix-lto-build.patch Normal file
View File

@ -0,0 +1,49 @@
From 7004c3fe3148b1f081c1575341257dca18e804b2 Mon Sep 17 00:00:00 2001
From: Richard Weickelt <richard@weickelt.de>
Date: Tue, 28 Jul 2020 22:39:01 +0200
Subject: [PATCH] Fix LTO Build of QtScript
When building with link-time optimization, the function cti_vm_throw was
thrown away because it was only referenced by assembly code. The
function needs to be marked as used.
Fixes: QTBUG-42989
Change-Id: I9974a5db9105adf9079343b5e1564e58f419df97
---
src/3rdparty/javascriptcore/JavaScriptCore/jit/JITStubs.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/jit/JITStubs.h b/src/3rdparty/javascriptcore/JavaScriptCore/jit/JITStubs.h
index da801332..adf6d5dc 100644
--- a/src/3rdparty/javascriptcore/JavaScriptCore/jit/JITStubs.h
+++ b/src/3rdparty/javascriptcore/JavaScriptCore/jit/JITStubs.h
@@ -123,7 +123,7 @@ namespace JSC {
JSValue* exception;
Profiler** enabledProfilerReference;
JSGlobalData* globalData;
-
+
// When JIT code makes a call, it pushes its return address just below the rest of the stack.
ReturnAddressPtr* returnAddressSlot() { return reinterpret_cast<ReturnAddressPtr*>(this) - 1; }
};
@@ -155,7 +155,7 @@ namespace JSC {
// These arguments passed on the stack.
Profiler** enabledProfilerReference;
JSGlobalData* globalData;
-
+
ReturnAddressPtr* returnAddressSlot() { return &thunkReturnAddress; }
};
#elif CPU(ARM_TRADITIONAL)
@@ -316,7 +316,7 @@ extern "C" {
EncodedJSValue JIT_STUB cti_op_to_primitive(STUB_ARGS_DECLARATION);
EncodedJSValue JIT_STUB cti_op_typeof(STUB_ARGS_DECLARATION);
EncodedJSValue JIT_STUB cti_op_urshift(STUB_ARGS_DECLARATION);
- EncodedJSValue JIT_STUB cti_vm_throw(STUB_ARGS_DECLARATION);
+ EncodedJSValue JIT_STUB cti_vm_throw(STUB_ARGS_DECLARATION) __attribute__((used));
EncodedJSValue JIT_STUB cti_to_object(STUB_ARGS_DECLARATION);
JSObject* JIT_STUB cti_op_construct_JSConstruct(STUB_ARGS_DECLARATION);
JSObject* JIT_STUB cti_op_new_array(STUB_ARGS_DECLARATION);
--
2.16.3

22
qt-CVE-2023-34410.patch Normal file
View File

@ -0,0 +1,22 @@
diff -up qt-everywhere-opensource-src-4.8.7/src/network/ssl/qsslsocket.cpp.me qt-everywhere-opensource-src-4.8.7/src/network/ssl/qsslsocket.cpp
--- qt-everywhere-opensource-src-4.8.7/src/network/ssl/qsslsocket.cpp.me 2023-06-09 16:41:34.702124706 +0200
+++ qt-everywhere-opensource-src-4.8.7/src/network/ssl/qsslsocket.cpp 2023-06-09 16:42:50.152993830 +0200
@@ -1863,6 +1863,10 @@ QSslSocketPrivate::QSslSocketPrivate()
, plainSocket(0)
{
QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
+ // If the global configuration doesn't allow root certificates to be loaded
+ // on demand then we have to disable it for this socket as well.
+ if (!configuration.allowRootCertOnDemandLoading)
+ allowRootCertOnDemandLoading = false;
}
/*!
@@ -2041,6 +2045,7 @@ void QSslConfigurationPrivate::deepCopyD
ptr->sessionCipher = global->sessionCipher;
ptr->ciphers = global->ciphers;
ptr->caCertificates = global->caCertificates;
+ ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;
ptr->protocol = global->protocol;
ptr->peerVerifyMode = global->peerVerifyMode;
ptr->peerVerifyDepth = global->peerVerifyDepth;

206
qt-CVE-2023-37369.patch Normal file
View File

@ -0,0 +1,206 @@
From 15000da32ac2c10a2bd81232df7708cdf40db7bc Mon Sep 17 00:00:00 2001
From: hua_yadong <huayadong@kylinos.cn>
Date: Sat, 25 Nov 2023 12:16:28 +0800
Subject: [PATCH] qt-CVE-2023-37369
---
src/corelib/xml/qxmlstream.cpp | 34 ++++++++++++++++++++++------------
src/corelib/xml/qxmlstream.g | 25 ++++++++++++++++++++++---
src/corelib/xml/qxmlstream_p.h | 25 ++++++++++++++++++++++---
3 files changed, 66 insertions(+), 18 deletions(-)
diff --git a/src/corelib/xml/qxmlstream.cpp b/src/corelib/xml/qxmlstream.cpp
index 5ade4cf2..1621aea9 100644
--- a/src/corelib/xml/qxmlstream.cpp
+++ b/src/corelib/xml/qxmlstream.cpp
@@ -1329,7 +1329,9 @@ inline int QXmlStreamReaderPrivate::fastScanContentCharList()
return n;
}
-inline int QXmlStreamReaderPrivate::fastScanName(int *prefix)
+// Fast scan an XML attribute name (e.g. "xml:lang").
+inline QXmlStreamReaderPrivate::FastScanNameResult
+QXmlStreamReaderPrivate::fastScanName(Value *val)
{
int n = 0;
ushort c;
@@ -1361,23 +1363,23 @@ inline int QXmlStreamReaderPrivate::fastScanName(int *prefix)
case '+':
case '*':
putChar(c);
- if (prefix && *prefix == n+1) {
- *prefix = 0;
+ if (val && val->prefix == n + 1) {
+ val->prefix = 0;
putChar(':');
--n;
}
- return n;
+ return FastScanNameResult(n);
case ':':
- if (prefix) {
- if (*prefix == 0) {
- *prefix = n+2;
+ if (val) {
+ if (val->prefix == 0) {
+ val->prefix = n + 2;
} else { // only one colon allowed according to the namespace spec.
putChar(c);
- return n;
+ return FastScanNameResult(n);
}
} else {
putChar(c);
- return n;
+ return FastScanNameResult(n);
}
// fall through
default:
@@ -1386,12 +1388,12 @@ inline int QXmlStreamReaderPrivate::fastScanName(int *prefix)
}
}
- if (prefix)
- *prefix = 0;
+ if (val)
+ val->prefix = 0;
int pos = textBuffer.size() - n;
putString(textBuffer, pos);
textBuffer.resize(pos);
- return 0;
+ return FastScanNameResult(0);
}
enum NameChar { NameBeginning, NameNotBeginning, NotName };
@@ -1898,6 +1900,14 @@ void QXmlStreamReaderPrivate::raiseWellFormedError(const QString &message)
raiseError(QXmlStreamReader::NotWellFormedError, message);
}
+void QXmlStreamReaderPrivate::raiseNamePrefixTooLongError()
+{
+ // TODO: add a ImplementationLimitsExceededError and use it instead
+ raiseError(QXmlStreamReader::NotWellFormedError,
+ QXmlStream::tr("Length of XML attribute name exceeds implemnetation limits (4KiB "
+ "characters)."));
+}
+
void QXmlStreamReaderPrivate::parseError()
{
diff --git a/src/corelib/xml/qxmlstream.g b/src/corelib/xml/qxmlstream.g
index 094183b8..9de293f4 100644
--- a/src/corelib/xml/qxmlstream.g
+++ b/src/corelib/xml/qxmlstream.g
@@ -492,7 +492,16 @@ public:
int fastScanLiteralContent();
int fastScanSpace();
int fastScanContentCharList();
- int fastScanName(int *prefix = 0);
+
+ struct FastScanNameResult {
+ FastScanNameResult() : ok(false) {}
+ explicit FastScanNameResult(int len) : addToLen(len), ok(true) { }
+ operator bool() { return ok; }
+ int operator*() { Q_ASSERT(ok); return addToLen; }
+ int addToLen;
+ bool ok;
+ };
+ FastScanNameResult fastScanName(Value *val = NULL);
inline int fastScanNMTOKEN();
@@ -501,6 +510,7 @@ public:
void raiseError(QXmlStreamReader::Error error, const QString& message = QString());
void raiseWellFormedError(const QString &message);
+ void raiseNamePrefixTooLongError();
QXmlStreamEntityResolver *entityResolver;
@@ -1784,7 +1794,12 @@ space_opt ::= space;
qname ::= LETTER;
/.
case $rule_number: {
- sym(1).len += fastScanName(&sym(1).prefix);
+ Value &val = sym(1);
+ if (FastScanNameResult res = fastScanName(&val))
+ val.len += *res;
+ else
+ return false;
+
if (atEnd) {
resume($rule_number);
return false;
@@ -1795,7 +1810,11 @@ qname ::= LETTER;
name ::= LETTER;
/.
case $rule_number:
- sym(1).len += fastScanName();
+ if (FastScanNameResult res = fastScanName(&val))
+ sym(1).len += *res;
+ else
+ return false;
+
if (atEnd) {
resume($rule_number);
return false;
diff --git a/src/corelib/xml/qxmlstream_p.h b/src/corelib/xml/qxmlstream_p.h
index 055902a1..dcf2a7d9 100644
--- a/src/corelib/xml/qxmlstream_p.h
+++ b/src/corelib/xml/qxmlstream_p.h
@@ -997,7 +997,16 @@ public:
int fastScanLiteralContent();
int fastScanSpace();
int fastScanContentCharList();
- int fastScanName(int *prefix = 0);
+
+ struct FastScanNameResult {
+ FastScanNameResult() : ok(false) {}
+ explicit FastScanNameResult(int len) : addToLen(len), ok(true) { }
+ operator bool() { return ok; }
+ int operator*() { Q_ASSERT(ok); return addToLen; }
+ int addToLen;
+ bool ok;
+ };
+ FastScanNameResult fastScanName(Value *val = NULL);
inline int fastScanNMTOKEN();
@@ -1006,6 +1015,7 @@ public:
void raiseError(QXmlStreamReader::Error error, const QString& message = QString());
void raiseWellFormedError(const QString &message);
+ void raiseNamePrefixTooLongError();
QXmlStreamEntityResolver *entityResolver;
@@ -1928,7 +1938,12 @@ bool QXmlStreamReaderPrivate::parse()
break;
case 262: {
- sym(1).len += fastScanName(&sym(1).prefix);
+ Value &val = sym(1);
+ if (FastScanNameResult res = fastScanName(&val))
+ val.len += *res;
+ else
+ return false;
+
if (atEnd) {
resume(262);
return false;
@@ -1936,7 +1951,11 @@ bool QXmlStreamReaderPrivate::parse()
} break;
case 263:
- sym(1).len += fastScanName();
+ if (FastScanNameResult res = fastScanName())
+ sym(1).len += *res;
+ else
+ return false;
+
if (atEnd) {
resume(263);
return false;
--
2.41.0

227
qt-CVE-2023-38197.patch Normal file
View File

@ -0,0 +1,227 @@
From 2584638ae4a7824e988c68a8386a448460d82cdc Mon Sep 17 00:00:00 2001
From: hua_yadong <huayadong@kylinos.cn>
Date: Fri, 24 Nov 2023 17:56:39 +0800
Subject: [PATCH] qt-CVE-2023-38197
---
src/corelib/xml/qxmlstream.cpp | 139 +++++++++++++++++++++++++++++++--
src/corelib/xml/qxmlstream_p.h | 11 +++
2 files changed, 142 insertions(+), 8 deletions(-)
diff --git a/src/corelib/xml/qxmlstream.cpp b/src/corelib/xml/qxmlstream.cpp
index 919802f1..5ade4cf2 100644
--- a/src/corelib/xml/qxmlstream.cpp
+++ b/src/corelib/xml/qxmlstream.cpp
@@ -162,7 +162,7 @@ QT_BEGIN_NAMESPACE
addData() or by waiting for it to arrive on the device().
\value UnexpectedElementError The parser encountered an element
- that was different to those it expected.
+ or token that was different to those it expected.
*/
@@ -296,13 +296,34 @@ QXmlStreamEntityResolver *QXmlStreamReader::entityResolver() const
QXmlStreamReader is a well-formed XML 1.0 parser that does \e not
include external parsed entities. As long as no error occurs, the
- application code can thus be assured that the data provided by the
- stream reader satisfies the W3C's criteria for well-formed XML. For
- example, you can be certain that all tags are indeed nested and
- closed properly, that references to internal entities have been
- replaced with the correct replacement text, and that attributes have
- been normalized or added according to the internal subset of the
- DTD.
+ application code can thus be assured, that
+ \list
+ \li the data provided by the stream reader satisfies the W3C's
+ criteria for well-formed XML,
+ \li tokens are provided in a valid order.
+ \endlist
+
+ Unless QXmlStreamReader raises an error, it guarantees the following:
+ \list
+ \li All tags are nested and closed properly.
+ \li References to internal entities have been replaced with the
+ correct replacement text.
+ \li Attributes have been normalized or added according to the
+ internal subset of the \l DTD.
+ \li Tokens of type \l StartDocument happen before all others,
+ aside from comments and processing instructions.
+ \li At most one DOCTYPE element (a token of type \l DTD) is present.
+ \li If present, the DOCTYPE appears before all other elements,
+ aside from StartDocument, comments and processing instructions.
+ \endlist
+
+ In particular, once any token of type \l StartElement, \l EndElement,
+ \l Characters, \l EntityReference or \l EndDocument is seen, no
+ tokens of type StartDocument or DTD will be seen. If one is present in
+ the input stream, out of order, an error is raised.
+
+ \note The token types \l Comment and \l ProcessingInstruction may appear
+ anywhere in the stream.
If an error occurs while parsing, atEnd() and hasError() return
true, and error() returns the error that occurred. The functions
@@ -616,6 +637,7 @@ QXmlStreamReader::TokenType QXmlStreamReader::readNext()
d->token = -1;
return readNext();
}
+ d->checkToken();
return d->type;
}
@@ -740,6 +762,9 @@ static const short QXmlStreamReader_tokenTypeString_indices[] = {
0, 8, 16, 30, 42, 55, 66, 77, 85, 89, 105, 0
};
+static const char QXmlStreamReader_XmlContextString[] =
+ "Prolog\0"
+ "Body\0";
/*!
\property QXmlStreamReader::namespaceProcessing
@@ -776,6 +801,16 @@ QString QXmlStreamReader::tokenString() const
QXmlStreamReader_tokenTypeString_indices[d->type]);
}
+/*!
+ \internal
+ \return \param loc (Prolog/Body) as a string.
+ */
+static const QLatin1String contextString(int ctxt)
+{
+ return QLatin1String(QXmlStreamReader_XmlContextString +
+ QXmlStreamReader_XmlContextString[ctxt]);
+}
+
#endif // QT_NO_XMLSTREAMREADER
QXmlStreamPrivateTagStack::QXmlStreamPrivateTagStack()
@@ -860,6 +895,8 @@ void QXmlStreamReaderPrivate::init()
type = QXmlStreamReader::NoToken;
error = QXmlStreamReader::NoError;
+ currentContext = QXmlStreamReaderPrivate::Prolog;
+ foundDTD = false;
}
/*
@@ -3940,6 +3977,92 @@ void QXmlStreamWriter::writeCurrentToken(const QXmlStreamReader &reader)
}
}
+static bool isTokenAllowedInContext(QXmlStreamReader::TokenType type,
+ int loc)
+{
+ switch (type) {
+ case QXmlStreamReader::StartDocument:
+ case QXmlStreamReader::DTD:
+ return loc == QXmlStreamReaderPrivate::Prolog;
+
+ case QXmlStreamReader::StartElement:
+ case QXmlStreamReader::EndElement:
+ case QXmlStreamReader::Characters:
+ case QXmlStreamReader::EntityReference:
+ case QXmlStreamReader::EndDocument:
+ return loc == QXmlStreamReaderPrivate::Body;
+
+ case QXmlStreamReader::Comment:
+ case QXmlStreamReader::ProcessingInstruction:
+ return true;
+
+ case QXmlStreamReader::NoToken:
+ case QXmlStreamReader::Invalid:
+ return false;
+ }
+
+ return false;
+}
+
+/*!
+ \internal
+ \brief QXmlStreamReader::isValidToken
+ \return \c true if \param type is a valid token type.
+ \return \c false if \param type is an unexpected token,
+ which indicates a non-well-formed or invalid XML stream.
+ */
+bool QXmlStreamReaderPrivate::isValidToken(QXmlStreamReader::TokenType type)
+{
+ // Don't change currentContext, if Invalid or NoToken occur in the prolog
+ if (type == QXmlStreamReader::Invalid || type == QXmlStreamReader::NoToken)
+ return false;
+
+ // If a token type gets rejected in the body, there is no recovery
+ const bool result = isTokenAllowedInContext(type, currentContext);
+ if (result || currentContext == QXmlStreamReaderPrivate::Body)
+ return result;
+
+ // First non-Prolog token observed => switch context to body and check again.
+ currentContext = QXmlStreamReaderPrivate::Body;
+ return isTokenAllowedInContext(type, currentContext);
+}
+
+/*!
+ \internal
+ Checks token type and raises an error, if it is invalid
+ in the current context (prolog/body).
+ */
+void QXmlStreamReaderPrivate::checkToken()
+{
+ Q_Q(QXmlStreamReader);
+
+ // The token type must be consumed, to keep track if the body has been reached.
+ int context = currentContext;
+ const bool ok = isValidToken(type);
+
+ // Do nothing if an error has been raised already (going along with an unexpected token)
+ if (error != QXmlStreamReader::NoError)
+ return;
+
+ if (!ok) {
+ raiseError(QXmlStreamReader::UnexpectedElementError,
+ QXmlStream::tr("Unexpected token type %1 in %2.")
+ .arg(q->tokenString(), contextString(context)));
+ return;
+ }
+
+ if (type != QXmlStreamReader::DTD)
+ return;
+
+ // Raise error on multiple DTD tokens
+ if (foundDTD) {
+ raiseError(QXmlStreamReader::UnexpectedElementError,
+ QXmlStream::tr("Found second DTD token in %1.").arg(contextString(context)));
+ } else {
+ foundDTD = true;
+ }
+}
+
/*!
\fn bool QXmlStreamAttributes::hasAttribute(const QString &qualifiedName) const
\since 4.5
diff --git a/src/corelib/xml/qxmlstream_p.h b/src/corelib/xml/qxmlstream_p.h
index 3539e1b7..055902a1 100644
--- a/src/corelib/xml/qxmlstream_p.h
+++ b/src/corelib/xml/qxmlstream_p.h
@@ -790,6 +790,17 @@ public:
#endif
bool atEnd;
+ enum XmlContext
+ {
+ Prolog = 0,
+ Body,
+ };
+
+ int currentContext = Prolog;
+ bool foundDTD = false;
+ bool isValidToken(QXmlStreamReader::TokenType type);
+ void checkToken();
+
/*!
\sa setType()
*/
--
2.41.0

125
qt-CVE-2023-43114.patch Normal file
View File

@ -0,0 +1,125 @@
From 7edcbe0e7db0c292ceac044aacc598bb250d32f2 Mon Sep 17 00:00:00 2001
From: hua_yadong <huayadong@kylinos.cn>
Date: Mon, 27 Nov 2023 14:25:31 +0800
Subject: [PATCH] qt-CVE-2023-43114
---
src/gui/text/qfontdatabase_win.cpp | 65 +++++++++++++++++++++++-------
1 file changed, 50 insertions(+), 15 deletions(-)
diff --git a/src/gui/text/qfontdatabase_win.cpp b/src/gui/text/qfontdatabase_win.cpp
index 10670b1b..7d40b605 100644
--- a/src/gui/text/qfontdatabase_win.cpp
+++ b/src/gui/text/qfontdatabase_win.cpp
@@ -1140,33 +1140,67 @@ typedef BOOL (WINAPI *PtrRemoveFontMemResourceEx)(HANDLE);
static QList<quint32> getTrueTypeFontOffsets(const uchar *fontData)
{
QList<quint32> offsets;
- const quint32 headerTag = *reinterpret_cast<const quint32 *>(fontData);
+ if (fileEndSentinel - fontData < 12) {
+ qCWarning(lcQpaFonts) << "Corrupted font data detected";
+ return offsets;
+ }
+
+ const quint32 headerTag = qFromUnaligned<quint32>(fontData);
if (headerTag != MAKE_TAG('t', 't', 'c', 'f')) {
if (headerTag != MAKE_TAG(0, 1, 0, 0)
&& headerTag != MAKE_TAG('O', 'T', 'T', 'O')
&& headerTag != MAKE_TAG('t', 'r', 'u', 'e')
- && headerTag != MAKE_TAG('t', 'y', 'p', '1'))
+ && headerTag != MAKE_TAG('t', 'y', 'p', '1')) {
return offsets;
+ }
offsets << 0;
return offsets;
}
+
+ const quint32 maximumNumFonts = 0xffff;
const quint32 numFonts = qFromBigEndian<quint32>(fontData + 8);
- for (uint i = 0; i < numFonts; ++i) {
- offsets << qFromBigEndian<quint32>(fontData + 12 + i * 4);
+ if (numFonts > maximumNumFonts) {
+ qCWarning(lcQpaFonts) << "Font collection of" << numFonts << "fonts is too large. Aborting.";
+ return offsets;
+ }
+
+ if (quintptr(fileEndSentinel - fontData) > 12 + (numFonts - 1) * 4) {
+ for (quint32 i = 0; i < numFonts; ++i)
+ offsets << qFromBigEndian<quint32>(fontData + 12 + i * 4);
+ } else {
+ qCWarning(lcQpaFonts) << "Corrupted font data detected";
}
+
return offsets;
}
-static void getFontTable(const uchar *fileBegin, const uchar *data, quint32 tag, const uchar **table, quint32 *length)
+static void getFontTable(const uchar *fileBegin, const uchar *fileEndSentinel, const uchar *data, quint32 tag, const uchar **table, quint32 *length)
{
- const quint16 numTables = qFromBigEndian<quint16>(data + 4);
- for (uint i = 0; i < numTables; ++i) {
- const quint32 offset = 12 + 16 * i;
- if (*reinterpret_cast<const quint32 *>(data + offset) == tag) {
- *table = fileBegin + qFromBigEndian<quint32>(data + offset + 8);
- *length = qFromBigEndian<quint32>(data + offset + 12);
- return;
+ if (fileEndSentinel - data >= 6) {
+ const quint16 numTables = qFromBigEndian<quint16>(data + 4);
+ if (fileEndSentinel - data >= 28 + 16 * (numTables - 1)) {
+ for (quint32 i = 0; i < numTables; ++i) {
+ const quint32 offset = 12 + 16 * i;
+ if (qFromUnaligned<quint32>(data + offset) == tag) {
+ const quint32 tableOffset = qFromBigEndian<quint32>(data + offset + 8);
+ if (quintptr(fileEndSentinel - fileBegin) <= tableOffset) {
+ qCWarning(lcQpaFonts) << "Corrupted font data detected";
+ break;
+ }
+ *table = fileBegin + tableOffset;
+ *length = qFromBigEndian<quint32>(data + offset + 12);
+ if (quintptr(fileEndSentinel - *table) < *length) {
+ qCWarning(lcQpaFonts) << "Corrupted font data detected";
+ break;
+ }
+ return;
+ }
+ }
+ } else {
+ qCWarning(lcQpaFonts) << "Corrupted font data detected";
}
+ } else {
+ qCWarning(lcQpaFonts) << "Corrupted font data detected";
}
*table = 0;
*length = 0;
@@ -1176,8 +1210,9 @@ static void getFontTable(const uchar *fileBegin, const uchar *data, quint32 tag,
static void getFamiliesAndSignatures(const QByteArray &fontData, QFontDatabasePrivate::ApplicationFont *appFont)
{
const uchar *data = reinterpret_cast<const uchar *>(fontData.constData());
+ const uchar *dataEndSentinel = data + fontData.size();
- QList<quint32> offsets = getTrueTypeFontOffsets(data);
+ QList<quint32> offsets = getTrueTypeFontOffsets(data, dataEndSentinel);
if (offsets.isEmpty())
return;
@@ -1185,7 +1220,7 @@ static void getFamiliesAndSignatures(const QByteArray &fontData, QFontDatabasePr
const uchar *font = data + offsets.at(i);
const uchar *table;
quint32 length;
- getFontTable(data, font, MAKE_TAG('n', 'a', 'm', 'e'), &table, &length);
+ getFontTable(data, dataEndSentinel, font, MAKE_TAG('n', 'a', 'm', 'e'), &table, &length);
if (!table)
continue;
QString name = getEnglishName(table, length);
@@ -1194,7 +1229,7 @@ static void getFamiliesAndSignatures(const QByteArray &fontData, QFontDatabasePr
appFont->families << name;
FONTSIGNATURE signature;
- getFontTable(data, font, MAKE_TAG('O', 'S', '/', '2'), &table, &length);
+ getFontTable(data, dataEndSentinel, font, MAKE_TAG('O', 'S', '/', '2'), &table, &length);
if (table && length >= 86) {
// See also qfontdatabase_mac.cpp, offsets taken from OS/2 table in the TrueType spec
signature.fsUsb[0] = qFromBigEndian<quint32>(table + 42);
--
2.41.0

66
qt.spec
View File

@ -13,11 +13,11 @@
Name: qt
Epoch: 1
Version: 4.8.7
Release: 56
Release: 61
Summary: A software toolkit for developing applications
License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
URL: http://qt-project.org/
Source0: https://download.qt.io/archive/qt/4.8/4.8.7/qt-everywhere-opensource-src-4.8.7.tar.gz
URL: https://www.qt.io/
Source0: https://download.qt.io/archive/qt/4.8/4.8.7/qt-everywhere-opensource-src-%{version}.tar.gz
Source1: qconfig-multilib.h
Source2: assistant.desktop
Source3: designer.desktop
@ -81,6 +81,8 @@ Patch46: qt-everywhere-opensource-src-4.8.7-riscv64.patch
Patch47: fix-build-error-for-loongarch64.patch
%endif
Patch48: fix-build-error-about-messagemodel.patch
# https://codereview.qt-project.org/c/qt/qtscript/+/308863
Patch49: fix-lto-build.patch
Patch6000: CVE-2018-19869.patch
Patch6001: CVE-2018-19872.patch
Patch6002: CVE-2018-19871.patch
@ -89,6 +91,10 @@ Patch6004: CVE-2018-19873.patch
Patch6005: CVE-2020-17507.patch
Patch6006: CVE-2020-0570.patch
Patch6007: CVE-2023-32573.patch
Patch6008: qt-CVE-2023-34410.patch
Patch6009: qt-CVE-2023-38197.patch
Patch6010: qt-CVE-2023-37369.patch
Patch6011: qt-CVE-2023-43114.patch
BuildRequires: cups-devel desktop-file-utils gcc-c++ libjpeg-devel findutils libmng-devel libtiff-devel pkgconfig pkgconfig(alsa)
BuildRequires: pkgconfig(dbus-1) pkgconfig(fontconfig) pkgconfig(glib-2.0) pkgconfig(icu-i18n) openssl-devel pkgconfig(libpng)
@ -357,7 +363,6 @@ if [ $1 -gt 1 ] ; then
fi
%post
/sbin/ldconfig
%{_sbindir}/update-alternatives \
--install %{_sysconfdir}/xdg/qtchooser/4.conf \
qtchooser-4 \
@ -370,10 +375,7 @@ fi
%{_sysconfdir}/xdg/qtchooser/4.conf \
%{priority}
touch --no-create %{_datadir}/icons/hicolor ||:
%postun
/sbin/ldconfig
if [ $1 -eq 0 ]; then
%{_sbindir}/update-alternatives \
--remove qtchooser-4 \
@ -384,28 +386,6 @@ if [ $1 -eq 0 ]; then
%{_sysconfdir}/xdg/qtchooser/4.conf
fi
if [ $1 -eq 0 ] ; then
touch --no-create %{_datadir}/icons/hicolor ||:
gtk-update-icon-cache -q %{_datadir}/icons/hicolor 2> /dev/null ||:
fi
%posttrans
gtk-update-icon-cache -q %{_datadir}/icons/hicolor 2> /dev/null ||:
%post devel
touch --no-create %{_datadir}/icons/hicolor ||:
%posttrans devel
gtk-update-icon-cache -q %{_datadir}/icons/hicolor 2> /dev/null ||:
update-desktop-database -q &> /dev/null ||:
%postun devel
if [ $1 -eq 0 ] ; then
touch --no-create %{_datadir}/icons/hicolor ||:
gtk-update-icon-cache -q %{_datadir}/icons/hicolor 2> /dev/null ||:
update-desktop-database -q &> /dev/null ||:
fi
%files -f qt_all.lang
%doc README
%license LICENSE.GPL3 LICENSE.LGPL LGPL_EXCEPTION.txt
@ -466,6 +446,34 @@ fi
%{_qt4_prefix}/examples/
%changelog
* Sat Dec 07 2024 Funda Wang <fundawang@yeah.net> - 1:4.8.7-61
- fix LTO build
- cleanup spec
* Mon Nov 27 2023 hua_yadong<huayadong@kylinos.cn> - 1:4.8.7-60
- Type:cves
- ID:CVE-2023-43114
- SUG:NA
- DESC:fix CVE-2023-43114
* Sat Nov 25 2023 hua_yadong<huayadong@kylinos.cn> - 1:4.8.7-59
- Type:cves
- ID:CVE-2023-37369
- SUG:NA
- DESC:fix CVE-2023-37369
* Fri Nov 24 2023 hua_yadong<huayadong@kylinos.cn> - 1:4.8.7-58
- Type:cves
- ID:CVE-2023-38197
- SUG:NA
- DESC:fix CVE-2023-38197
* Thu Nov 02 2023 peijiankang<peijiankang@kylinos.cn> - 1:4.8.7-57
- Type:cves
- ID:CVE-2023-34410
- SUG:NA
- DESC:fix CVE-2023-34410
* Mon Aug 21 2023 peijiankang<peijiankang@kylinos.cn> - 1:4.8.7-56
- Type:cves
- ID:CVE-2023-32573