diff --git a/CVE-2021-45930.patch b/CVE-2021-45930.patch deleted file mode 100644 index c1d1534..0000000 --- a/CVE-2021-45930.patch +++ /dev/null @@ -1,221 +0,0 @@ -From 36cfd9efb9b22b891adee9c48d30202289cfa620 Mon Sep 17 00:00:00 2001 -From: Eirik Aavitsland -Date: Mon, 25 Oct 2021 14:17:55 +0200 -Subject: [PATCH] Do stricter error checking when parsing path nodes -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The SVG spec mandates that path parsing should terminate on the first -error encountered, and an error be reported. To improve the handling -of corrupt files, implement such error handling, and also limit the -number of QPainterPath elements to a reasonable range. - -Fixes: QTBUG-96044 -Pick-to: 6.2 5.15 5.12 -Change-Id: Ic5e65d6b658516d6f1317c72de365c8c7ad81891 -Reviewed-by: Allan Sandfeld Jensen -Reviewed-by: Robert Löhning ---- - src/svg/qsvghandler.cpp | 59 +++++++++++++++++------------------------ - 1 file changed, 25 insertions(+), 34 deletions(-) - -diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp -index db29211..dd869ff 100644 ---- a/src/svg/qsvghandler.cpp -+++ b/src/svg/qsvghandler.cpp -@@ -1615,6 +1615,7 @@ static void pathArc(QPainterPath &path, - - static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - { -+ const int maxElementCount = 0x7fff; // Assume file corruption if more path elements than this - qreal x0 = 0, y0 = 0; // starting point - qreal x = 0, y = 0; // current point - char lastMode = 0; -@@ -1622,7 +1623,8 @@ static bool parsePathDataFast(const QStr - const QChar *str = dataStr.constData(); - const QChar *end = str + dataStr.size(); - -- while (str != end) { -+ bool ok = true; -+ while (ok && str != end) { - while (str->isSpace() && (str + 1) != end) - ++str; - QChar pathElem = *str; -@@ -1636,14 +1638,13 @@ static bool parsePathDataFast(const QStr - arg.append(0);//dummy - const qreal *num = arg.constData(); - int count = arg.count(); -- while (count > 0) { -+ while (ok && count > 0) { - qreal offsetX = x; // correction offsets - qreal offsetY = y; // for relative commands - switch (pathElem.unicode()) { - case 'm': { - if (count < 2) { -- num++; -- count--; -+ ok = false; - break; - } - x = x0 = num[0] + offsetX; -@@ -1660,8 +1661,7 @@ static bool parsePathDataFast(const QStr - break; - case 'M': { - if (count < 2) { -- num++; -- count--; -+ ok = false; - break; - } - x = x0 = num[0]; -@@ -1687,8 +1687,7 @@ static bool parsePathDataFast(const QStr - break; - case 'l': { - if (count < 2) { -- num++; -- count--; -+ ok = false; - break; - } - x = num[0] + offsetX; -@@ -1701,8 +1700,7 @@ static bool parsePathDataFast(const QStr - break; - case 'L': { - if (count < 2) { -- num++; -- count--; -+ ok = false; - break; - } - x = num[0]; -@@ -1742,8 +1740,7 @@ static bool parsePathDataFast(const QStr - break; - case 'c': { - if (count < 6) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c1(num[0] + offsetX, num[1] + offsetY); -@@ -1759,8 +1756,7 @@ static bool parsePathDataFast(const QStr - } - case 'C': { - if (count < 6) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c1(num[0], num[1]); -@@ -1776,8 +1772,7 @@ static bool parsePathDataFast(const QStr - } - case 's': { - if (count < 4) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c1; -@@ -1798,8 +1793,7 @@ static bool parsePathDataFast(const QStr - } - case 'S': { - if (count < 4) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c1; -@@ -1820,8 +1814,7 @@ static bool parsePathDataFast(const QStr - } - case 'q': { - if (count < 4) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c(num[0] + offsetX, num[1] + offsetY); -@@ -1836,8 +1829,7 @@ static bool parsePathDataFast(const QStr - } - case 'Q': { - if (count < 4) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c(num[0], num[1]); -@@ -1852,8 +1844,7 @@ static bool parsePathDataFast(const QStr - } - case 't': { - if (count < 2) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF e(num[0] + offsetX, num[1] + offsetY); -@@ -1873,8 +1864,7 @@ static bool parsePathDataFast(const QStr - } - case 'T': { - if (count < 2) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF e(num[0], num[1]); -@@ -1894,8 +1884,7 @@ static bool parsePathDataFast(const QStr - } - case 'a': { - if (count < 7) { -- num += count; -- count = 0; -+ ok = false; - break; - } - qreal rx = (*num++); -@@ -1917,8 +1906,7 @@ static bool parsePathDataFast(const QStr - break; - case 'A': { - if (count < 7) { -- num += count; -- count = 0; -+ ok = false; - break; - } - qreal rx = (*num++); -@@ -1939,12 +1927,15 @@ static bool parsePathDataFast(const QStr - } - break; - default: -- return false; -+ ok = false; -+ break; - } - lastMode = pathElem.toLatin1(); -+ if (path.elementCount() > maxElementCount) -+ ok = false; - } - } -- return true; -+ return ok; - } - - static bool parseStyle(QSvgNode *node, -@@ -2980,8 +2971,8 @@ static QSvgNode *createPathNode(QSvgNode - - QPainterPath qpath; - qpath.setFillRule(Qt::WindingFill); -- //XXX do error handling -- parsePathDataFast(data, qpath); -+ if (!parsePathDataFast(data, qpath)) -+ qCWarning(lcSvgHandler, "Invalid path data; path truncated."); - - QSvgNode *path = new QSvgPath(parent, qpath); - return path; - diff --git a/qt5-qtsvg.spec b/qt5-qtsvg.spec index 3869547..9afb1fe 100644 --- a/qt5-qtsvg.spec +++ b/qt5-qtsvg.spec @@ -1,30 +1,43 @@ -Name: qt5-qtsvg -Version: 5.15.2 -Release: 2 -Summary: Qt GUI toolkit for rendering and displaying SVG -License: LGPLv2 with exceptions or GPLv3 with exceptions -Url: http://www.qt.io -%global majmin %(echo %{version} | cut -d. -f1-2) -Source0: https://download.qt.io/official_releases/qt/%{majmin}/%{version}/submodules/qtsvg-everywhere-src-%{version}.tar.xz -Patch0: qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch -Patch1: CVE-2021-45930.patch +%global qt_module qtsvg -BuildRequires: make -BuildRequires: qt5-qtbase-devel >= %{version} pkgconfig(zlib) qt5-qtbase-private-devel -%{?_qt5:Requires: %{_qt5} = %{_qt5_version}} +Summary: Qt5 - Support for rendering and displaying SVG +Name: qt5-%{qt_module} +Version: 5.15.10 +Release: 1 + +# See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details +License: LGPL-3.0-only OR GPL-3.0-only WITH Qt-GPL-exception-1.0 +Url: http://www.qt.io +%global majmin %(echo %{version} | cut -d. -f1-2) +Source0: https://download.qt.io/official_releases/qt/%{majmin}/%{version}/submodules/%{qt_module}-everywhere-opensource-src-%{version}.tar.xz + +Patch0: qtsvg-CVE-2023-32573.patch + +BuildRequires: make +BuildRequires: qt5-qtbase-devel >= %{version} +BuildRequires: pkgconfig(zlib) + +BuildRequires: qt5-qtbase-private-devel +%{?_qt5:Requires: %{_qt5}%{?_isa} = %{_qt5_version}} %description -The Qt SVG module provides functionality for displaying SVG images in -widget, and to create SVG files using drawing commands. +Scalable Vector Graphics (SVG) is an XML-based language for describing +two-dimensional vector graphics. Qt provides classes for rendering and +displaying SVG drawings in widgets and on other paint devices. %package devel -Summary: Library and header files of libdwarf for qt5-qtsvg -Requires: %{name} = %{version}-%{release} qt5-qtbase-devel -Provides: %{name}-examples = %{version}-%{release} -Obsoletes: %{name}-examples < %{version}-%{release} - +Summary: Development files for %{name} +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: qt5-qtbase-devel%{?_isa} %description devel -qt5-qtsvg-devel provides libraries and header files for qt5-qtsvg. +%{summary}. + +%package examples +Summary: Programming examples for %{name} +Requires: %{name}%{?_isa} = %{version}-%{release} +%description examples +%{summary}. + %prep %autosetup -n qtsvg-everywhere-src-%{version} -p1 @@ -47,24 +60,33 @@ for prl_file in libQt5*.prl ; do done popd -%post -p /sbin/ldconfig -%postun -p /sbin/ldconfig + +%ldconfig_scriptlets %files %license LICENSE.* -%dir %{_qt5_libdir}/cmake/Qt5Svg/ -%{_qt5_libdir}/{libQt5Svg.so.5*,cmake/Qt5Svg/Qt5Svg_*Plugin.cmake} -%{_qt5_plugindir}/{iconengines/libqsvgicon.so,imageformats/libqsvg.so} +%{_qt5_libdir}/libQt5Svg.so.5* +%{_qt5_plugindir}/iconengines/libqsvgicon.so +%{_qt5_plugindir}/imageformats/libqsvg.so %{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QSvg*Plugin.cmake %files devel -%{_qt5_examplesdir}/ %{_qt5_headerdir}/QtSvg/ +%{_qt5_libdir}/libQt5Svg.so +%{_qt5_libdir}/libQt5Svg.prl +%dir %{_qt5_libdir}/cmake/Qt5Svg/ %{_qt5_libdir}/cmake/Qt5Svg/Qt5SvgConfig*.cmake -%{_qt5_libdir}/{libQt5Svg.so,libQt5Svg.prl,pkgconfig/Qt5Svg.pc} +%{_qt5_libdir}/pkgconfig/Qt5Svg.pc %{_qt5_archdatadir}/mkspecs/modules/qt_lib_svg*.pri +%files examples +%{_qt5_examplesdir}/ + + %changelog +* Mon Aug 21 2023 huayadong - 5.15.10-1 +- update to version 5.15.10-1 + * Thu Jan 13 2022 wangkai - 5.15.2-2 - Fix CVE-2021-45930 diff --git a/qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch b/qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch deleted file mode 100644 index 83db864..0000000 --- a/qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff -up qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp.orig qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp ---- qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp.orig 2020-10-27 09:02:11.000000000 +0100 -+++ qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp 2021-03-09 17:48:50.187425243 +0100 -@@ -65,6 +65,7 @@ - #include "private/qmath_p.h" - - #include "float.h" -+#include - - QT_BEGIN_NAMESPACE - -@@ -672,6 +673,9 @@ static qreal toDouble(const QChar *&str) - val = -val; - } else { - val = QByteArray::fromRawData(temp, pos).toDouble(); -+ // Do not tolerate values too wild to be represented normally by floats -+ if (std::fpclassify(float(val)) != FP_NORMAL) -+ val = 0; - } - return val; - -@@ -3043,6 +3047,8 @@ static QSvgStyleProperty *createRadialGr - ncy = toDouble(cy); - if (!r.isEmpty()) - nr = toDouble(r); -+ if (nr < 0.5) -+ nr = 0.5; - - qreal nfx = ncx; - if (!fx.isEmpty()) diff --git a/qtsvg-CVE-2023-32573.patch b/qtsvg-CVE-2023-32573.patch new file mode 100644 index 0000000..0554756 --- /dev/null +++ b/qtsvg-CVE-2023-32573.patch @@ -0,0 +1,34 @@ +--- a/src/svg/qsvgfont_p.h ++++ b/src/svg/qsvgfont_p.h +@@ -74,6 +74,7 @@ public: + class Q_SVG_PRIVATE_EXPORT QSvgFont : public QSvgRefCounted + { + public: ++ static constexpr qreal DEFAULT_UNITS_PER_EM = 1000; + QSvgFont(qreal horizAdvX); + + void setFamilyName(const QString &name); +@@ -86,9 +87,7 @@ public: + void draw(QPainter *p, const QPointF &point, const QString &str, qreal pixelSize, Qt::Alignment alignment) const; + public: + QString m_familyName; +- qreal m_unitsPerEm; +- qreal m_ascent; +- qreal m_descent; ++ qreal m_unitsPerEm = DEFAULT_UNITS_PER_EM; + qreal m_horizAdvX; + QHash m_glyphs; + }; + + +--- a/src/svg/qsvghandler.cpp ++++ b/src/svg/qsvghandler.cpp +@@ -2668,7 +2668,7 @@ static bool parseFontFaceNode(QSvgStyleProperty *parent, + + qreal unitsPerEm = toDouble(unitsPerEmStr); + if (!unitsPerEm) +- unitsPerEm = 1000; ++ unitsPerEm = QSvgFont::DEFAULT_UNITS_PER_EM; + + if (!name.isEmpty()) + font->setFamilyName(name); diff --git a/qtsvg-everywhere-opensource-src-5.15.10.tar.xz b/qtsvg-everywhere-opensource-src-5.15.10.tar.xz new file mode 100644 index 0000000..9777af4 Binary files /dev/null and b/qtsvg-everywhere-opensource-src-5.15.10.tar.xz differ diff --git a/qtsvg-everywhere-src-5.15.2.tar.xz b/qtsvg-everywhere-src-5.15.2.tar.xz deleted file mode 100644 index eb11c2d..0000000 Binary files a/qtsvg-everywhere-src-5.15.2.tar.xz and /dev/null differ