File 0001-Fix-specific-overflow-in-qtextlayout-CVE-2... of Package libqt5-qtbase

Overview Repositories Revisions Requests Users Attributes Meta

File 0001-Fix-specific-overflow-in-qtextlayout-CVE-2023-32763.patch of Package libqt5-qtbase

From e6c8aa2426ef5bd575f85aae530322b145b49006 Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Fri, 5 May 2023 09:51:32 +0200
Subject: [PATCH] Fix specific overflow in qtextlayout (CVE-2023-32763)

Fixes: QTBUG-113337
Pick-to: 6.5 6.5.1 6.2 5.15
Change-Id: I13579306defceaccdc0fbb1ec0e9b77c6f8d1af9
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
(cherry picked from commit 7b7a01c266b507636eab51a36328c7c72d82d93c)

* asturmlechner 2023-05-23: Upstream backport to 5.15 taken from
  https://www.qt.io/blog/security-advisory-qt-svg-1
---
 src/gui/painting/qfixed_p.h  | 9 +++++++++
 src/gui/text/qtextlayout.cpp | 9 ++++++---
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/src/gui/painting/qfixed_p.h b/src/gui/painting/qfixed_p.h
index 846592881c2..57d750a4b3c 100644
--- a/src/gui/painting/qfixed_p.h
+++ b/src/gui/painting/qfixed_p.h
@@ -54,6 +54,7 @@
 #include <QtGui/private/qtguiglobal_p.h>
 #include "QtCore/qdebug.h"
 #include "QtCore/qpoint.h"
+#include <QtCore/private/qnumeric_p.h>
 #include "QtCore/qsize.h"
 
 QT_BEGIN_NAMESPACE
@@ -182,6 +183,14 @@ Q_DECL_CONSTEXPR inline bool operator<(int i, const QFixed &f) { return i * 64 <
 Q_DECL_CONSTEXPR inline bool operator>(const QFixed &f, int i) { return f.value() > i * 64; }
 Q_DECL_CONSTEXPR inline bool operator>(int i, const QFixed &f) { return i * 64 > f.value(); }
 
+inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
+{
+    int val;
+    bool result = add_overflow(v1.value(), v2.value(), &val);
+    r->setValue(val);
+    return result;
+}
+
 #ifndef QT_NO_DEBUG_STREAM
 inline QDebug &operator<<(QDebug &dbg, const QFixed &f)
 { return dbg << f.toReal(); }
diff --git a/src/gui/text/qtextlayout.cpp b/src/gui/text/qtextlayout.cpp
index 26ac37b016a..f6c69ff4a28 100644
--- a/src/gui/text/qtextlayout.cpp
+++ b/src/gui/text/qtextlayout.cpp
@@ -2150,11 +2150,14 @@ found:
         eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
     } else {
         eng->minWidth = qMax(eng->minWidth, lbh.minw);
-        eng->maxWidth += line.textWidth;
+        if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth))
+            eng->maxWidth = QFIXED_MAX;
     }
 
-    if (line.textWidth > 0 && item < eng->layoutData->items.size())
-        eng->maxWidth += lbh.spaceData.textWidth;
+    if (line.textWidth > 0 && item < eng->layoutData->items.size()) {
+        if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, &eng->maxWidth))
+            eng->maxWidth = QFIXED_MAX;
+    }
     if (eng->option.flags() & QTextOption::IncludeTrailingSpaces)
         line.textWidth += lbh.spaceData.textWidth;
     if (lbh.spaceData.length) {
# 
#     line.textWidth += trailingSpace;
#     if (lbh.spaceData.length) {
-- 
GitLab

Places

File 0001-Fix-specific-overflow-in-qtextlayout-CVE-2023-32763.patch of Package libqt5-qtbase

Places