depends: qt: add CVE patches

diff --git a/contrib/depends/packages/qt.mk b/contrib/depends/packages/qt.mk
index d581533fc5eb479d50a41bca0c65139033ecae85..35e4473b5b2ed24d713ab4955514cca3ba4c98f9 100644 (file)
--- a/contrib/depends/packages/qt.mk
+++ b/contrib/depends/packages/qt.mk
@@ -29,6 +29,11 @@ $(package)_patches += v4l2.patch
 $(package)_patches += windows_func_fix.patch
 $(package)_patches += WindowsToolchain.cmake
 
+# Remove >= 6.5.1
+$(package)_patches += CVE-2023-32573-qtsvg-6.5.diff
+$(package)_patches += CVE-2023-32762-qtbase-6.5.diff
+$(package)_patches += CVE-2023-32763-qtbase-6.5.diff
+
 $(package)_qttools_file_name=qttools-$($(package)_suffix)
 $(package)_qttools_sha256_hash=49c33d96b0a44988be954269b8ce3d1a495b439726e03a6be7c0d50a686369c4
 
@@ -255,7 +260,12 @@ define $(package)_preprocess_cmds
   mv $($(package)_patch_dir)/arm64-apple-toolchain.cmake . && \
   mv $($(package)_patch_dir)/gnueabihfToolchain.cmake . && \
   mv $($(package)_patch_dir)/riscvToolchain.cmake . && \
-  cd qtmultimedia && \
+  cd qtbase && \
+  patch -p1 -i $($(package)_patch_dir)/CVE-2023-32762-qtbase-6.5.diff && \
+  patch -p1 -i $($(package)_patch_dir)/CVE-2023-32763-qtbase-6.5.diff && \
+  cd ../qtsvg && \
+  patch -p1 -i $($(package)_patch_dir)/CVE-2023-32573-qtsvg-6.5.diff && \
+  cd ../qtmultimedia && \
   patch -p1 -i $($(package)_patch_dir)/qtmultimedia-fixes.patch && \
   patch -p1 -i $($(package)_patch_dir)/v4l2.patch
 endef

diff --git a/contrib/depends/patches/qt/CVE-2023-32573-qtsvg-6.5.diff b/contrib/depends/patches/qt/CVE-2023-32573-qtsvg-6.5.diff
new file mode 100644 (file)
index 0000000..aa86f2a
--- /dev/null
+++ b/contrib/depends/patches/qt/CVE-2023-32573-qtsvg-6.5.diff
@@ -0,0 +1,36 @@
+--- a/src/svg/qsvgfont_p.h
++++ b/src/svg/qsvgfont_p.h
+@@ -38,6 +38,7 @@ public:
+ class Q_SVG_PRIVATE_EXPORT QSvgFont : public QSvgRefCounted
+ {
+ public:
++    static constexpr qreal DEFAULT_UNITS_PER_EM = 1000;
+     QSvgFont(qreal horizAdvX);
+ 
+     void setFamilyName(const QString &name);
+@@ -50,9 +51,7 @@ public:
+     void draw(QPainter *p, const QPointF &point, const QString &str, qreal pixelSize, Qt::Alignment alignment) const;
+ public:
+     QString m_familyName;
+-    qreal m_unitsPerEm;
+-    qreal m_ascent;
+-    qreal m_descent;
++    qreal m_unitsPerEm = DEFAULT_UNITS_PER_EM;
+     qreal m_horizAdvX;
+     QHash<QChar, QSvgGlyph> m_glyphs;
+ };
+
+
+--- a/src/svg/qsvghandler.cpp
++++ b/src/svg/qsvghandler.cpp
+@@ -2622,7 +2622,7 @@ static bool parseFontFaceNode(QSvgStyleProperty *parent,
+ 
+     qreal unitsPerEm = toDouble(unitsPerEmStr);
+     if (!unitsPerEm)
+-        unitsPerEm = 1000;
++        unitsPerEm = QSvgFont::DEFAULT_UNITS_PER_EM;
+ 
+     if (!name.isEmpty())
+         font->setFamilyName(name);
+
+

diff --git a/contrib/depends/patches/qt/CVE-2023-32762-qtbase-6.5.diff b/contrib/depends/patches/qt/CVE-2023-32762-qtbase-6.5.diff
new file mode 100644 (file)
index 0000000..616b096
--- /dev/null
+++ b/contrib/depends/patches/qt/CVE-2023-32762-qtbase-6.5.diff
@@ -0,0 +1,13 @@
+--- a/src/network/access/qhsts.cpp\r
++++ b/src/network/access/qhsts.cpp\r
+@@ -327,8 +327,8 @@ quoted-pair    = "\" CHAR\r
+ bool QHstsHeaderParser::parse(const QList<QPair<QByteArray, QByteArray>> &headers)\r
+ {\r
+     for (const auto &h : headers) {\r
+-        // We use '==' since header name was already 'trimmed' for us:\r
+-        if (h.first == "Strict-Transport-Security") {\r
++        // We compare directly because header name was already 'trimmed' for us:\r
++        if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) {\r
+             header = h.second;\r
+             // RFC6797, 8.1:\r
+             //\r

diff --git a/contrib/depends/patches/qt/CVE-2023-32763-qtbase-6.5.diff b/contrib/depends/patches/qt/CVE-2023-32763-qtbase-6.5.diff
new file mode 100644 (file)
index 0000000..bdb18de
--- /dev/null
+++ b/contrib/depends/patches/qt/CVE-2023-32763-qtbase-6.5.diff
@@ -0,0 +1,53 @@
+--- a/src/gui/painting/qfixed_p.h\r
++++ b/src/gui/painting/qfixed_p.h\r
+@@ -18,6 +18,7 @@\r
+ #include <QtGui/private/qtguiglobal_p.h>\r
+ #include "QtCore/qdebug.h"\r
+ #include "QtCore/qpoint.h"\r
++#include "QtCore/qnumeric.h"\r
+ #include "QtCore/qsize.h"\r
+\r
+ QT_BEGIN_NAMESPACE\r
+@@ -136,6 +137,22 @@ constexpr inline QFixed operator+(uint i, QFixed d) { return d+i; }\r
+ constexpr inline QFixed operator-(uint i, QFixed d) { return -(d-i); }\r
+ // constexpr inline QFixed operator*(qreal d, QFixed d2) { return d2*d; }\r
+\r
++inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)\r
++{\r
++    int val;\r
++    bool result = qAddOverflow(v1.value(), v2.value(), &val);\r
++    r->setValue(val);\r
++    return result;\r
++}\r
++\r
++inline bool qMulOverflow(QFixed v1, QFixed v2, QFixed *r)\r
++{\r
++    int val;\r
++    bool result = qMulOverflow(v1.value(), v2.value(), &val);\r
++    r->setValue(val);\r
++    return result;\r
++}\r
++\r
+ #ifndef QT_NO_DEBUG_STREAM\r
+ inline QDebug &operator<<(QDebug &dbg, QFixed f)\r
+ { return dbg << f.toReal(); }\r
+\r
+\r
+--- a/src/gui/text/qtextlayout.cpp\r
++++ b/src/gui/text/qtextlayout.cpp\r
+@@ -2164,9 +2164,12 @@ found:\r
+         eng->maxWidth = qMax(eng->maxWidth, line.textWidth);\r
+     } else {\r
+         eng->minWidth = qMax(eng->minWidth, lbh.minw);\r
+-        eng->layoutData->currentMaxWidth += line.textWidth;\r
+-        if (!manuallyWrapped)\r
+-            eng->layoutData->currentMaxWidth += lbh.spaceData.textWidth;\r
++        if (qAddOverflow(eng->layoutData->currentMaxWidth, line.textWidth, &eng->layoutData->currentMaxWidth))\r
++            eng->layoutData->currentMaxWidth = QFIXED_MAX;\r
++        if (!manuallyWrapped) {\r
++            if (qAddOverflow(eng->layoutData->currentMaxWidth, lbh.spaceData.textWidth, &eng->layoutData->currentMaxWidth))\r
++                eng->layoutData->currentMaxWidth = QFIXED_MAX;\r
++        }\r
+         eng->maxWidth = qMax(eng->maxWidth, eng->layoutData->currentMaxWidth);\r
+         if (manuallyWrapped)\r
+             eng->layoutData->currentMaxWidth = 0;
\ No newline at end of file