From d858d61f41c99a4fe850326d879cbeeb668f38c5 Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Thu, 13 Jan 2022 15:27:37 +0800 Subject: [PATCH 1/2] Fix CVE-2021-45930 (cherry picked from commit 8785ca45a9103cbc72e46fef39f2ad38185b9879) --- CVE-2021-45930.patch | 223 +++++++++++++++++++++++++++++++++++++++++++ qt5-qtsvg.spec | 3 + 2 files changed, 226 insertions(+) create mode 100644 CVE-2021-45930.patch diff --git a/CVE-2021-45930.patch b/CVE-2021-45930.patch new file mode 100644 index 0000000..73bca31 --- /dev/null +++ b/CVE-2021-45930.patch @@ -0,0 +1,223 @@ +From a3b753c2d077313fc9eb93af547051b956e383fc Mon Sep 17 00:00:00 2001 +From: Eirik Aavitsland +Date: Mon, 25 Oct 2021 14:17:55 +0200 +Subject: [PATCH] Do stricter error checking when parsing path nodes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The SVG spec mandates that path parsing should terminate on the first +error encountered, and an error be reported. To improve the handling +of corrupt files, implement such error handling, and also limit the +number of QPainterPath elements to a reasonable range. + +Fixes: QTBUG-96044 +Change-Id: Ic5e65d6b658516d6f1317c72de365c8c7ad81891 +Reviewed-by: Allan Sandfeld Jensen +Reviewed-by: Robert Löhning +(cherry picked from commit 36cfd9efb9b22b891adee9c48d30202289cfa620) +Reviewed-by: Qt Cherry-pick Bot +--- + src/svg/qsvghandler.cpp | 59 +++++++++++++++++------------------------ + 1 file changed, 25 insertions(+), 34 deletions(-) + +diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp +index 08ee7819..db21d5f4 100644 +--- a/src/svg/qsvghandler.cpp ++++ b/src/svg/qsvghandler.cpp +@@ -1611,6 +1611,7 @@ static void pathArc(QPainterPath &path, + + static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + { ++ const int maxElementCount = 0x7fff; // Assume file corruption if more path elements than this + qreal x0 = 0, y0 = 0; // starting point + qreal x = 0, y = 0; // current point + char lastMode = 0; +@@ -1618,7 +1619,8 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + const QChar *str = dataStr.constData(); + const QChar *end = str + dataStr.size(); + +- while (str != end) { ++ bool ok = true; ++ while (ok && str != end) { + while (str->isSpace()) + ++str; + QChar pathElem = *str; +@@ -1632,14 +1634,13 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + arg.append(0);//dummy + const qreal *num = arg.constData(); + int count = arg.count(); +- while (count > 0) { ++ while (ok && count > 0) { + qreal offsetX = x; // correction offsets + qreal offsetY = y; // for relative commands + switch (pathElem.unicode()) { + case 'm': { + if (count < 2) { +- num++; +- count--; ++ ok = false; + break; + } + x = x0 = num[0] + offsetX; +@@ -1656,8 +1657,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + break; + case 'M': { + if (count < 2) { +- num++; +- count--; ++ ok = false; + break; + } + x = x0 = num[0]; +@@ -1683,8 +1683,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + break; + case 'l': { + if (count < 2) { +- num++; +- count--; ++ ok = false; + break; + } + x = num[0] + offsetX; +@@ -1697,8 +1696,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + break; + case 'L': { + if (count < 2) { +- num++; +- count--; ++ ok = false; + break; + } + x = num[0]; +@@ -1738,8 +1736,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + break; + case 'c': { + if (count < 6) { +- num += count; +- count = 0; ++ ok = false; + break; + } + QPointF c1(num[0] + offsetX, num[1] + offsetY); +@@ -1755,8 +1752,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + } + case 'C': { + if (count < 6) { +- num += count; +- count = 0; ++ ok = false; + break; + } + QPointF c1(num[0], num[1]); +@@ -1772,8 +1768,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + } + case 's': { + if (count < 4) { +- num += count; +- count = 0; ++ ok = false; + break; + } + QPointF c1; +@@ -1794,8 +1789,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + } + case 'S': { + if (count < 4) { +- num += count; +- count = 0; ++ ok = false; + break; + } + QPointF c1; +@@ -1816,8 +1810,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + } + case 'q': { + if (count < 4) { +- num += count; +- count = 0; ++ ok = false; + break; + } + QPointF c(num[0] + offsetX, num[1] + offsetY); +@@ -1832,8 +1825,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + } + case 'Q': { + if (count < 4) { +- num += count; +- count = 0; ++ ok = false; + break; + } + QPointF c(num[0], num[1]); +@@ -1848,8 +1840,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + } + case 't': { + if (count < 2) { +- num += count; +- count = 0; ++ ok = false; + break; + } + QPointF e(num[0] + offsetX, num[1] + offsetY); +@@ -1869,8 +1860,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + } + case 'T': { + if (count < 2) { +- num += count; +- count = 0; ++ ok = false; + break; + } + QPointF e(num[0], num[1]); +@@ -1890,8 +1880,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + } + case 'a': { + if (count < 7) { +- num += count; +- count = 0; ++ ok = false; + break; + } + qreal rx = (*num++); +@@ -1913,8 +1902,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + break; + case 'A': { + if (count < 7) { +- num += count; +- count = 0; ++ ok = false; + break; + } + qreal rx = (*num++); +@@ -1935,12 +1923,15 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) + } + break; + default: +- return false; ++ ok = false; ++ break; + } + lastMode = pathElem.toLatin1(); ++ if (path.elementCount() > maxElementCount) ++ ok = false; + } + } +- return true; ++ return ok; + } + + static bool parseStyle(QSvgNode *node, +@@ -2976,8 +2967,8 @@ static QSvgNode *createPathNode(QSvgNode *parent, + + QPainterPath qpath; + qpath.setFillRule(Qt::WindingFill); +- //XXX do error handling +- parsePathDataFast(data, qpath); ++ if (!parsePathDataFast(data, qpath)) ++ qCWarning(lcSvgHandler, "Invalid path data; path truncated."); + + QSvgNode *path = new QSvgPath(parent, qpath); + return path; + + diff --git a/qt5-qtsvg.spec b/qt5-qtsvg.spec index 4bfe457..84f93d4 100644 --- a/qt5-qtsvg.spec +++ b/qt5-qtsvg.spec @@ -60,6 +60,9 @@ popd %{_qt5_archdatadir}/mkspecs/modules/qt_lib_svg*.pri %changelog +* Thu Jan 13 2022 wangkai - 5.11.1-6 +- Fix CVE-2021-45930 + * Fri Sep 18 2020 liuweibo - 5.11.1-5 - Fix Source0 -- Gitee From 61dd26c27a78ad9944fcb98f1f6623368eb59567 Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Thu, 13 Jan 2022 19:35:06 +0800 Subject: [PATCH 2/2] Fix CVE-2021-45930 (cherry picked from commit 44d619f527c651710b79279689b380c1b8813682) --- qt5-qtsvg.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/qt5-qtsvg.spec b/qt5-qtsvg.spec index 84f93d4..f85c6b8 100644 --- a/qt5-qtsvg.spec +++ b/qt5-qtsvg.spec @@ -1,11 +1,12 @@ Name: qt5-qtsvg Version: 5.11.1 -Release: 5 +Release: 6 Summary: Qt GUI toolkit for rendering and displaying SVG License: LGPLv2 with exceptions or GPLv3 with exceptions Url: http://www.qt.io Source0: https://download.qt.io/new_archive/qt/5.11/%{version}/submodules/qtsvg-everywhere-src-%{version}.tar.xz Patch0001: qtsvg-opensource-src-5.6.0-beta1-example-install.patch +Patch0002: CVE-2021-45930.patch BuildRequires: qt5-qtbase-devel >= %{version} pkgconfig(zlib) qt5-qtbase-private-devel %{?_qt5:Requires: %{_qt5} = %{_qt5_version}} -- Gitee