From 3f387c7164fd0f17a4bcc55b2236ecf172351047 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Wed, 28 Jun 2023 12:52:43 +0800
Subject: [PATCH] Fix CVE-2023-32762 and CVE-2023-32763

(cherry picked from commit 95b28be50ef0e186555703897b7246867db71ec1)
---
 CVE-2023-32762.patch | 50 ++++++++++++++++++++++++++++++++++
 CVE-2023-32763.patch | 64 ++++++++++++++++++++++++++++++++++++++++++++
 qt5-qtbase.spec      |  9 ++++++-
 3 files changed, 122 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2023-32762.patch
 create mode 100644 CVE-2023-32763.patch

diff --git a/CVE-2023-32762.patch b/CVE-2023-32762.patch
new file mode 100644
index 0000000..33686d9
--- /dev/null
+++ b/CVE-2023-32762.patch
@@ -0,0 +1,50 @@
+From 1b736a815be0222f4b24289cf17575fc15707305 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= <marten.nordheim@qt.io>
+Date: Fri, 5 May 2023 11:07:26 +0200
+Subject: [PATCH] Hsts: match header names case insensitively
+
+Header field names are always considered to be case-insensitive.
+
+Pick-to: 6.5 6.5.1 6.2 5.15
+Fixes: QTBUG-113392
+Change-Id: Ifb4def4bb7f2ac070416cdc76581a769f1e52b43
+Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
+Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
+Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
+---
+ src/network/access/qhsts.cpp                 | 4 ++--
+ tests/auto/network/access/hsts/tst_qhsts.cpp | 6 ++++++
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/network/access/qhsts.cpp b/src/network/access/qhsts.cpp
+index 39905f354807..82deede17298 100644
+--- a/src/network/access/qhsts.cpp
++++ b/src/network/access/qhsts.cpp
+@@ -327,8 +327,8 @@ quoted-pair    = "\" CHAR
+ bool QHstsHeaderParser::parse(const QList<QPair<QByteArray, QByteArray>> &headers)
+ {
+     for (const auto &h : headers) {
+-        // We use '==' since header name was already 'trimmed' for us:
+-        if (h.first == "Strict-Transport-Security") {
++        // We compare directly because header name was already 'trimmed' for us:
++        if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) {
+             header = h.second;
+             // RFC6797, 8.1:
+             //
+diff --git a/tests/auto/network/access/hsts/tst_qhsts.cpp b/tests/auto/network/access/hsts/tst_qhsts.cpp
+index 252f5e8f5792..97a2d2889e57 100644
+--- a/tests/auto/network/access/hsts/tst_qhsts.cpp
++++ b/tests/auto/network/access/hsts/tst_qhsts.cpp
+@@ -216,6 +216,12 @@ void tst_QHsts::testSTSHeaderParser()
+     QVERIFY(parser.expirationDate() > QDateTime::currentDateTimeUtc());
+     QVERIFY(parser.includeSubDomains());
+ 
++    list.pop_back();
++    list << Header("strict-transport-security", "includeSubDomains;max-age=1000");
++    QVERIFY(parser.parse(list));
++    QVERIFY(parser.expirationDate() > QDateTime::currentDateTimeUtc());
++    QVERIFY(parser.includeSubDomains());
++
+     list.pop_back();
+     // Invalid (includeSubDomains twice):
+     list << Header("Strict-Transport-Security", "max-age = 1000 ; includeSubDomains;includeSubDomains");
diff --git a/CVE-2023-32763.patch b/CVE-2023-32763.patch
new file mode 100644
index 0000000..a3c9836
--- /dev/null
+++ b/CVE-2023-32763.patch
@@ -0,0 +1,64 @@
+From 9e92024a183e93c63cb96a0a48cca07c20c7a243 Mon Sep 17 00:00:00 2001
+From: starlet-dx <15929766099@163.com>
+Date: Wed, 28 Jun 2023 11:47:13 +0800
+Subject: [PATCH 1/1] Fix CVE-2023-32763
+
+Origin: https://download.qt.io/official_releases/qt/5.15/CVE-2023-32763-qtbase-5.15.diff
+
+---
+ src/gui/painting/qfixed_p.h  | 9 +++++++++
+ src/gui/text/qtextlayout.cpp | 9 ++++++---
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/src/gui/painting/qfixed_p.h b/src/gui/painting/qfixed_p.h
+index 84659288..57d750a4 100644
+--- a/src/gui/painting/qfixed_p.h
++++ b/src/gui/painting/qfixed_p.h
+@@ -54,6 +54,7 @@
+ #include <QtGui/private/qtguiglobal_p.h>
+ #include "QtCore/qdebug.h"
+ #include "QtCore/qpoint.h"
++#include <QtCore/private/qnumeric_p.h>
+ #include "QtCore/qsize.h"
+ 
+ QT_BEGIN_NAMESPACE
+@@ -182,6 +183,14 @@ Q_DECL_CONSTEXPR inline bool operator<(int i, const QFixed &f) { return i * 64 <
+ Q_DECL_CONSTEXPR inline bool operator>(const QFixed &f, int i) { return f.value() > i * 64; }
+ Q_DECL_CONSTEXPR inline bool operator>(int i, const QFixed &f) { return i * 64 > f.value(); }
+ 
++inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
++{
++    int val;
++    bool result = add_overflow(v1.value(), v2.value(), &val);
++    r->setValue(val);
++    return result;
++}
++
+ #ifndef QT_NO_DEBUG_STREAM
+ inline QDebug &operator<<(QDebug &dbg, const QFixed &f)
+ { return dbg << f.toReal(); }
+diff --git a/src/gui/text/qtextlayout.cpp b/src/gui/text/qtextlayout.cpp
+index b2f12ef1..897a1bc9 100644
+--- a/src/gui/text/qtextlayout.cpp
++++ b/src/gui/text/qtextlayout.cpp
+@@ -2138,11 +2138,14 @@ found:
+         eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
+     } else {
+         eng->minWidth = qMax(eng->minWidth, lbh.minw);
+-        eng->maxWidth += line.textWidth;
++	if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth))
++	    eng->maxWidth = QFIXED_MAX;
+     }
+ 
+-    if (line.textWidth > 0 && item < eng->layoutData->items.size())
+-        eng->maxWidth += lbh.spaceData.textWidth;
++    if (line.textWidth > 0 && item < eng->layoutData->items.size()) {
++	if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, &eng->maxWidth))
++	    eng->maxWidth = QFIXED_MAX;
++    }
+ 
+     line.textWidth += trailingSpace;
+     if (lbh.spaceData.length) {
+-- 
+2.30.0
+
diff --git a/qt5-qtbase.spec b/qt5-qtbase.spec
index 0345ed8..15e1270 100644
--- a/qt5-qtbase.spec
+++ b/qt5-qtbase.spec
@@ -34,7 +34,7 @@ BuildRequires:    pkgconfig(libsystemd)
 Name:             qt5-qtbase
 Summary:          Qt5 - QtBase components
 Version:          5.15.2
-Release:          7
+Release:          8
 
 
 # See LGPL_EXCEPTIONS.txt, for exception details
@@ -117,6 +117,8 @@ Patch0022:        add-loongarch64-support.patch
 # https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
 Patch0023:        CVE-2023-24607.patch
 Patch0024:        Fix-lupdate-command-error-on-loongarch64.patch
+Patch0025:        CVE-2023-32762.patch
+Patch0026:        CVE-2023-32763.patch
 # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires.
 # Those themes are there for platform integration. If the required libraries are
 # not there, the platform to integrate with isn't either. Then Qt will just
@@ -376,6 +378,8 @@ Qt5 libraries used for drawing widgets and OpenGL items.
 %patch0022 -p1
 %patch0023 -p1
 %patch0024 -p1
+%patch0025 -p1
+%patch0026 -p1
 # move some bundled libs to ensure they're not accidentally used
 pushd src/3rdparty
 mkdir UNUSED
@@ -1017,6 +1021,9 @@ fi
 
 
 %changelog
+* Wed Jun 28 2023 yaoxin <yao_xin001@hoperun.com> - 5.15.2-8
+- Fix CVE-2023-32762 and CVE-2023-32763
+
 * Thu Jun 08 2023 huajingyun <huajingyun@loongson.cn> - 5.15.2-7
 - Fix lupdate command error on loongarch64
 
-- 
Gitee