!19 fix CVE-2019-18281

From: @wang_yue111 Reviewed-by: @maminjie,@small_leek Signed-off-by: @small_leek
2021-04-21 16:03:18 +08:00 · 2021-04-21 16:03:18 +08:00 · 2818cdff4d
commit 2818cdff4d
parent 4d2c79b3d5 270a8fcfd5
2 changed files with 106 additions and 1 deletions
--- a/CVE-2019-18281.patch
+++ b/CVE-2019-18281.patch
@ -0,0 +1,101 @@
+From af267657ea11e292012ac02634e8bd2dcf8328c7 Mon Sep 17 00:00:00 2001
+From: wang_yue111 <648774160@qq.com>
+Date: Wed, 21 Apr 2021 11:35:47 +0800
+Subject: [PATCH] Fix crash when text contains too many directional chars
+
+In case a text to be layouted contains more than 128 directional characters
+it causes the application to crash
+
+The function initScriptAnalysisAndIsolatePairs() collects information of
+RTL/LTR chaaracters into vector "isolatePairs". The size of the vector is
+capped to 128. Later the function generateDirectionalRuns() iterates
+the text again and tries to access items from the previously capped vector
+above the upper bound.
+
+Task-number: QTBUG-77819
+Change-Id: Ibb7bf12c12b1db22f43ff46236518da3fdeed26a
+Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
+(cherry picked from commit 1232205e32464d90e871f39eb1e14fcf9b78a163)
+Reviewed-by: Jukka Jokiniva <jukka.jokiniva@qt.io>
+Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
+---
+ src/gui/text/qtextengine.cpp                    | 15 +++++++--------
+ .../gui/text/qtextlayout/tst_qtextlayout.cpp    | 17 +++++++++++++++++
+ 2 files changed, 24 insertions(+), 8 deletions(-)
+
+diff --git a/src/gui/text/qtextengine.cpp b/src/gui/text/qtextengine.cpp
+index 5e38311f..0c405cbf 100644
+--- a/src/gui/text/qtextengine.cpp
+++ b/src/gui/text/qtextengine.cpp
+@@ -393,6 +393,7 @@ struct QBidiAlgorithm {
+                         analysis[i].bidiDirection = (level & 1) ? QChar::DirR : QChar::DirL;
+                     runHasContent = true;
+                     lastRunWithContent = -1;
+                    ++isolatePairPosition;
+                 }
+                 int runBeforeIsolate = runs.size();
+                 ushort newLevel = isRtl ? ((stack.top().level + 1) | 1) : ((stack.top().level + 2) & ~1);
+@@ -434,20 +435,18 @@ struct QBidiAlgorithm {
+                 doEmbed(true, true, false);
+                 break;
+             case QChar::DirLRI:
+-                ++isolatePairPosition;
+-                Q_ASSERT(isolatePairs.at(isolatePairPosition).start == i);
+                 doEmbed(false, false, true);
+                 break;
+             case QChar::DirRLI:
+-                ++isolatePairPosition;
+-                Q_ASSERT(isolatePairs.at(isolatePairPosition).start == i);
+                 doEmbed(true, false, true);
+                 break;
+             case QChar::DirFSI: {
+-                ++isolatePairPosition;
+-                const auto &pair = isolatePairs.at(isolatePairPosition);
+-                Q_ASSERT(pair.start == i);
+-                bool isRtl = QStringView(text + pair.start + 1, pair.end - pair.start - 1).isRightToLeft();
+		bool isRtl = false;
+		if (isolatePairPosition < isolatePairs.size()) {
+		    const auto &pair = isolatePairs.at(isolatePairPosition);
+		    Q_ASSERT(pair.start == i);
+		    isRtl = QStringView(text + pair.start + 1, pair.end - pair.start - 1).isRightToLeft();
+		}
+                 doEmbed(isRtl, false, true);
+                 break;
+             }
+diff --git a/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp b/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp
+index 4e3d1da8..ec8b6116 100644
+--- a/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp
+++ b/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp
+@@ -137,6 +137,7 @@ private slots:
+     void nbspWithFormat();
+     void noModificationOfInputString();
+     void superscriptCrash_qtbug53911();
+    void tooManyDirectionalCharctersCrash_qtbug77819();
+ 
+ private:
+     QFont testFont;
+@@ -2291,5 +2292,21 @@ void tst_QTextLayout::nbspWithFormat()
+     QCOMPARE(layout.lineAt(1).textLength(), s2.length() + 1 + s3.length());
+ }
+ 
+void tst_QTextLayout::tooManyDirectionalCharctersCrash_qtbug77819()
+{
+    QString data;
+    data += QString::fromUtf8("\xe2\x81\xa8"); // U+2068 FSI character
+    data += QString::fromUtf8("\xe2\x81\xa7"); // U+2067 RLI character
+
+    // duplicating the text
+    for (int i = 0; i < 10; i++)
+        data += data;
+
+    // Nothing to test. It must not crash in beginLayout().
+    QTextLayout tl(data);
+    tl.beginLayout();
+    tl.endLayout();
+}
+
+ QTEST_MAIN(tst_QTextLayout)
+ #include "tst_qtextlayout.moc"
+-- 
+2.23.0
+
--- a/qt5-qtbase.spec
+++ b/qt5-qtbase.spec
@ -13,7 +13,7 @@
 Name:             qt5-qtbase
 Summary:          Core component of Qt toolkit
 Version:          5.11.1
-Release:          13
+Release:          14
 License:          LGPLv2 with exceptions or GPLv3 with exceptions
 Url:              http://qt-project.org/
 Source0:          https://download.qt.io/new_archive/qt/5.11/%{version}/submodules/qtbase-everywhere-src-%{version}.tar.xz
@ -37,6 +37,7 @@ Patch0011:        qt5-qtbase-glibc.patch
 Patch0012:        qtbase5-double-conversion-add-riscv.patch
 Patch6000:        CVE-2018-15518.patch 
 Patch6001:        CVE-2015-9541.patch
+Patch6002:        CVE-2019-18281.patch

 BuildRequires:    pkgconfig(libsystemd) cups-devel desktop-file-utils findutils
 BuildRequires:    libjpeg-devel libmng-devel libtiff-devel pkgconfig(alsa)
@ -403,6 +404,9 @@ fi


 %changelog
+* Wed Apr 21 2021 wangyue <wangyue@huawei.com> - 5.11.1-14
+- fix CVE-2019-18281
+
 * Sat Nov 28 2020 liyuanrong <liyuanrong1@huawei.com> - 5.11.1-13
 - add double conversion support riscv