From 0f5dd9d9230d5398979deb1d50b8bd04c4748266 Mon Sep 17 00:00:00 2001
From: Funda Wang <fundawang@yeah.net>
Date: Thu, 16 Oct 2025 09:54:03 +0800
Subject: [PATCH] fix CVE-2025-5683

---
 CVE-2025-5683.patch     | 29 +++++++++++++++++++++++++++++
 qt5-qtimageformats.spec |  7 ++++++-
 2 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2025-5683.patch

diff --git a/CVE-2025-5683.patch b/CVE-2025-5683.patch
new file mode 100644
index 0000000..02c0438
--- /dev/null
+++ b/CVE-2025-5683.patch
@@ -0,0 +1,29 @@
+diff --git a/src/plugins/imageformats/icns/qicnshandler.cpp b/src/plugins/imageformats/icns/qicnshandler.cpp
+index 02086cbf26c..207f7cd8393 100644
+--- a/src/plugins/imageformats/icns/qicnshandler.cpp
++++ b/src/plugins/imageformats/icns/qicnshandler.cpp
+@@ -323,8 +323,11 @@ static inline bool isPowOf2OrDividesBy16(quint32 u, qreal r)
+ 
+ static inline bool isBlockHeaderValid(const ICNSBlockHeader &header, quint64 bound = 0)
+ {
+-    return header.ostype != 0 && (bound == 0
+-                || qBound(quint64(ICNSBlockHeaderSize), quint64(header.length), bound) == header.length);
++    return header.ostype != 0 &&
++        (bound == 0 ||
++            // qBound can be used but requires checking the limits first
++            // this requires less operations
++            (ICNSBlockHeaderSize <= header.length && header.length <= bound));
+ }
+ 
+ static inline bool isIconCompressed(const ICNSEntry &icon)
+@@ -869,7 +872,7 @@ bool QICNSHandler::scanDevice()
+             return false;
+ 
+         const qint64 blockDataOffset = device()->pos();
+-        if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize + filelength - blockDataOffset)) {
++        if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize - blockDataOffset + filelength)) {
+             qWarning("QICNSHandler::scanDevice(): Failed, bad header at pos %s. OSType \"%s\", length %u",
+                      QByteArray::number(blockDataOffset).constData(),
+                      nameFromOSType(blockHeader.ostype).constData(), blockHeader.length);
+
+
diff --git a/qt5-qtimageformats.spec b/qt5-qtimageformats.spec
index 715131a..78188d5 100644
--- a/qt5-qtimageformats.spec
+++ b/qt5-qtimageformats.spec
@@ -2,13 +2,15 @@
 
 Name:           qt5-%{qt_module}
 Version:        5.15.16
-Release:        1
+Release:        2
 Summary:        Qt5 - QtImageFormats component
 
 License:        LGPL-3.0-only OR GPL-3.0-only WITH Qt-GPL-exception-1.0
 Url:            https://www.qt.io
 %global majmin %(echo %{version} | cut -d. -f1-2)
 Source0:        https://download.qt.io/official_releases/qt/%{majmin}/%{version}/submodules/%{qt_module}-everywhere-opensource-src-%{version}.tar.xz
+# https://download.qt.io/official_releases/qt/6.5/CVE-2025-5683-qtimageformats-6.5.patch
+Patch0:         CVE-2025-5683.patch
 
 BuildRequires:  make
 BuildRequires:  qt5-qtbase-devel >= %{version}
@@ -65,6 +67,9 @@ rm -rv src/3rdparty
 %{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_*Plugin.cmake
 
 %changelog
+* Thu Oct 16 2025 Funda Wang <fundawang@yeah.net> - 5.15.16-2
+- fix CVE-2025-5683
+
 * Tue Apr 08 2025 Funda Wang <fundawang@yeah.net> - 5.15.16-1
 - update to version 5.15.16
 
-- 
Gitee