packages/qt5-qtsvg
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!25 [sync] PR-24: update to version 5.15.10-1

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @peijiankang 
Signed-off-by: @peijiankang
This commit is contained in:
openeuler-ci-bot 2023-08-30 09:18:42 +00:00 committed by Gitee
commit 3a5eb5cac3
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
6 changed files with 84 additions and 279 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

221
CVE-2021-45930.patch
View File

@ -1,221 +0,0 @@
From 36cfd9efb9b22b891adee9c48d30202289cfa620 Mon Sep 17 00:00:00 2001
From: Eirik Aavitsland <eirik.aavitsland@qt.io>
Date: Mon, 25 Oct 2021 14:17:55 +0200
Subject: [PATCH] Do stricter error checking when parsing path nodes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The SVG spec mandates that path parsing should terminate on the first
error encountered, and an error be reported. To improve the handling
of corrupt files, implement such error handling, and also limit the
number of QPainterPath elements to a reasonable range.
Fixes: QTBUG-96044
Pick-to: 6.2 5.15 5.12
Change-Id: Ic5e65d6b658516d6f1317c72de365c8c7ad81891
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Robert Löhning <robert.loehning@qt.io>
---
src/svg/qsvghandler.cpp | 59 +++++++++++++++++------------------------
1 file changed, 25 insertions(+), 34 deletions(-)
diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
index db29211..dd869ff 100644
--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -1615,6 +1615,7 @@ static void pathArc(QPainterPath &path,
static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
{
+ const int maxElementCount = 0x7fff; // Assume file corruption if more path elements than this
qreal x0 = 0, y0 = 0; // starting point
qreal x = 0, y = 0; // current point
char lastMode = 0;
@@ -1622,7 +1623,8 @@ static bool parsePathDataFast(const QStr
const QChar *str = dataStr.constData();
const QChar *end = str + dataStr.size();
- while (str != end) {
+ bool ok = true;
+ while (ok && str != end) {
while (str->isSpace() && (str + 1) != end)
++str;
QChar pathElem = *str;
@@ -1636,14 +1638,13 @@ static bool parsePathDataFast(const QStr
arg.append(0);//dummy
const qreal *num = arg.constData();
int count = arg.count();
- while (count > 0) {
+ while (ok && count > 0) {
qreal offsetX = x; // correction offsets
qreal offsetY = y; // for relative commands
switch (pathElem.unicode()) {
case 'm': {
if (count < 2) {
- num++;
- count--;
+ ok = false;
break;
}
x = x0 = num[0] + offsetX;
@@ -1660,8 +1661,7 @@ static bool parsePathDataFast(const QStr
break;
case 'M': {
if (count < 2) {
- num++;
- count--;
+ ok = false;
break;
}
x = x0 = num[0];
@@ -1687,8 +1687,7 @@ static bool parsePathDataFast(const QStr
break;
case 'l': {
if (count < 2) {
- num++;
- count--;
+ ok = false;
break;
}
x = num[0] + offsetX;
@@ -1701,8 +1700,7 @@ static bool parsePathDataFast(const QStr
break;
case 'L': {
if (count < 2) {
- num++;
- count--;
+ ok = false;
break;
}
x = num[0];
@@ -1742,8 +1740,7 @@ static bool parsePathDataFast(const QStr
break;
case 'c': {
if (count < 6) {
- num += count;
- count = 0;
+ ok = false;
break;
}
QPointF c1(num[0] + offsetX, num[1] + offsetY);
@@ -1759,8 +1756,7 @@ static bool parsePathDataFast(const QStr
}
case 'C': {
if (count < 6) {
- num += count;
- count = 0;
+ ok = false;
break;
}
QPointF c1(num[0], num[1]);
@@ -1776,8 +1772,7 @@ static bool parsePathDataFast(const QStr
}
case 's': {
if (count < 4) {
- num += count;
- count = 0;
+ ok = false;
break;
}
QPointF c1;
@@ -1798,8 +1793,7 @@ static bool parsePathDataFast(const QStr
}
case 'S': {
if (count < 4) {
- num += count;
- count = 0;
+ ok = false;
break;
}
QPointF c1;
@@ -1820,8 +1814,7 @@ static bool parsePathDataFast(const QStr
}
case 'q': {
if (count < 4) {
- num += count;
- count = 0;
+ ok = false;
break;
}
QPointF c(num[0] + offsetX, num[1] + offsetY);
@@ -1836,8 +1829,7 @@ static bool parsePathDataFast(const QStr
}
case 'Q': {
if (count < 4) {
- num += count;
- count = 0;
+ ok = false;
break;
}
QPointF c(num[0], num[1]);
@@ -1852,8 +1844,7 @@ static bool parsePathDataFast(const QStr
}
case 't': {
if (count < 2) {
- num += count;
- count = 0;
+ ok = false;
break;
}
QPointF e(num[0] + offsetX, num[1] + offsetY);
@@ -1873,8 +1864,7 @@ static bool parsePathDataFast(const QStr
}
case 'T': {
if (count < 2) {
- num += count;
- count = 0;
+ ok = false;
break;
}
QPointF e(num[0], num[1]);
@@ -1894,8 +1884,7 @@ static bool parsePathDataFast(const QStr
}
case 'a': {
if (count < 7) {
- num += count;
- count = 0;
+ ok = false;
break;
}
qreal rx = (*num++);
@@ -1917,8 +1906,7 @@ static bool parsePathDataFast(const QStr
break;
case 'A': {
if (count < 7) {
- num += count;
- count = 0;
+ ok = false;
break;
}
qreal rx = (*num++);
@@ -1939,12 +1927,15 @@ static bool parsePathDataFast(const QStr
}
break;
default:
- return false;
+ ok = false;
+ break;
}
lastMode = pathElem.toLatin1();
+ if (path.elementCount() > maxElementCount)
+ ok = false;
}
}
- return true;
+ return ok;
}
static bool parseStyle(QSvgNode *node,
@@ -2980,8 +2971,8 @@ static QSvgNode *createPathNode(QSvgNode
QPainterPath qpath;
qpath.setFillRule(Qt::WindingFill);
- //XXX do error handling
- parsePathDataFast(data, qpath);
+ if (!parsePathDataFast(data, qpath))
+ qCWarning(lcSvgHandler, "Invalid path data; path truncated.");
QSvgNode *path = new QSvgPath(parent, qpath);
return path;

72
qt5-qtsvg.spec
View File

@ -1,30 +1,43 @@
Name: qt5-qtsvg
Version: 5.15.2
Release: 2
Summary: Qt GUI toolkit for rendering and displaying SVG
License: LGPLv2 with exceptions or GPLv3 with exceptions
%global qt_module qtsvg
Summary: Qt5 - Support for rendering and displaying SVG
Name: qt5-%{qt_module}
Version: 5.15.10
Release: 1
# See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
License: LGPL-3.0-only OR GPL-3.0-only WITH Qt-GPL-exception-1.0
Url: http://www.qt.io
%global majmin %(echo %{version} | cut -d. -f1-2)
Source0: https://download.qt.io/official_releases/qt/%{majmin}/%{version}/submodules/qtsvg-everywhere-src-%{version}.tar.xz
Patch0: qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch
Patch1: CVE-2021-45930.patch
Source0: https://download.qt.io/official_releases/qt/%{majmin}/%{version}/submodules/%{qt_module}-everywhere-opensource-src-%{version}.tar.xz
Patch0: qtsvg-CVE-2023-32573.patch
BuildRequires: make
BuildRequires: qt5-qtbase-devel >= %{version} pkgconfig(zlib) qt5-qtbase-private-devel
%{?_qt5:Requires: %{_qt5} = %{_qt5_version}}
BuildRequires: qt5-qtbase-devel >= %{version}
BuildRequires: pkgconfig(zlib)
BuildRequires: qt5-qtbase-private-devel
%{?_qt5:Requires: %{_qt5}%{?_isa} = %{_qt5_version}}
%description
The Qt SVG module provides functionality for displaying SVG images in
widget, and to create SVG files using drawing commands.
Scalable Vector Graphics (SVG) is an XML-based language for describing
two-dimensional vector graphics. Qt provides classes for rendering and
displaying SVG drawings in widgets and on other paint devices.
%package devel
Summary: Library and header files of libdwarf for qt5-qtsvg
Requires: %{name} = %{version}-%{release} qt5-qtbase-devel
Provides: %{name}-examples = %{version}-%{release}
Obsoletes: %{name}-examples < %{version}-%{release}
Summary: Development files for %{name}
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: qt5-qtbase-devel%{?_isa}
%description devel
qt5-qtsvg-devel provides libraries and header files for qt5-qtsvg.
%{summary}.
%package examples
Summary: Programming examples for %{name}
Requires: %{name}%{?_isa} = %{version}-%{release}
%description examples
%{summary}.
%prep
%autosetup -n qtsvg-everywhere-src-%{version} -p1
@ -47,24 +60,33 @@ for prl_file in libQt5*.prl ; do
done
popd
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%ldconfig_scriptlets
%files
%license LICENSE.*
%dir %{_qt5_libdir}/cmake/Qt5Svg/
%{_qt5_libdir}/{libQt5Svg.so.5*,cmake/Qt5Svg/Qt5Svg_*Plugin.cmake}
%{_qt5_plugindir}/{iconengines/libqsvgicon.so,imageformats/libqsvg.so}
%{_qt5_libdir}/libQt5Svg.so.5*
%{_qt5_plugindir}/iconengines/libqsvgicon.so
%{_qt5_plugindir}/imageformats/libqsvg.so
%{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QSvg*Plugin.cmake
%files devel
%{_qt5_examplesdir}/
%{_qt5_headerdir}/QtSvg/
%{_qt5_libdir}/libQt5Svg.so
%{_qt5_libdir}/libQt5Svg.prl
%dir %{_qt5_libdir}/cmake/Qt5Svg/
%{_qt5_libdir}/cmake/Qt5Svg/Qt5SvgConfig*.cmake
%{_qt5_libdir}/{libQt5Svg.so,libQt5Svg.prl,pkgconfig/Qt5Svg.pc}
%{_qt5_libdir}/pkgconfig/Qt5Svg.pc
%{_qt5_archdatadir}/mkspecs/modules/qt_lib_svg*.pri
%files examples
%{_qt5_examplesdir}/
%changelog
* Mon Aug 21 2023 huayadong <huayadong@kylinos.cn> - 5.15.10-1
- update to version 5.15.10-1
* Thu Jan 13 2022 wangkai <wangkai385@huawei.com> - 5.15.2-2
- Fix CVE-2021-45930

30
qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch
View File

@ -1,30 +0,0 @@
diff -up qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp.orig qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp
--- qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp.orig 2020-10-27 09:02:11.000000000 +0100
+++ qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp 2021-03-09 17:48:50.187425243 +0100
@@ -65,6 +65,7 @@
#include "private/qmath_p.h"
#include "float.h"
+#include <cmath>
QT_BEGIN_NAMESPACE
@@ -672,6 +673,9 @@ static qreal toDouble(const QChar *&str)
val = -val;
} else {
val = QByteArray::fromRawData(temp, pos).toDouble();
+ // Do not tolerate values too wild to be represented normally by floats
+ if (std::fpclassify(float(val)) != FP_NORMAL)
+ val = 0;
}
return val;
@@ -3043,6 +3047,8 @@ static QSvgStyleProperty *createRadialGr
ncy = toDouble(cy);
if (!r.isEmpty())
nr = toDouble(r);
+ if (nr < 0.5)
+ nr = 0.5;
qreal nfx = ncx;
if (!fx.isEmpty())

34
qtsvg-CVE-2023-32573.patch Normal file
View File

@ -0,0 +1,34 @@
--- a/src/svg/qsvgfont_p.h
+++ b/src/svg/qsvgfont_p.h
@@ -74,6 +74,7 @@ public:
class Q_SVG_PRIVATE_EXPORT QSvgFont : public QSvgRefCounted
{
public:
+ static constexpr qreal DEFAULT_UNITS_PER_EM = 1000;
QSvgFont(qreal horizAdvX);
void setFamilyName(const QString &name);
@@ -86,9 +87,7 @@ public:
void draw(QPainter *p, const QPointF &point, const QString &str, qreal pixelSize, Qt::Alignment alignment) const;
public:
QString m_familyName;
- qreal m_unitsPerEm;
- qreal m_ascent;
- qreal m_descent;
+ qreal m_unitsPerEm = DEFAULT_UNITS_PER_EM;
qreal m_horizAdvX;
QHash<QChar, QSvgGlyph> m_glyphs;
};
--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -2668,7 +2668,7 @@ static bool parseFontFaceNode(QSvgStyleProperty *parent,
qreal unitsPerEm = toDouble(unitsPerEmStr);
if (!unitsPerEm)
- unitsPerEm = 1000;
+ unitsPerEm = QSvgFont::DEFAULT_UNITS_PER_EM;
if (!name.isEmpty())
font->setFamilyName(name);

BIN
qtsvg-everywhere-opensource-src-5.15.10.tar.xz Normal file
View File

Binary file not shown.

BIN
qtsvg-everywhere-src-5.15.2.tar.xz
View File

Binary file not shown.