diff --git a/CVE-2021-45930.patch b/CVE-2021-45930.patch deleted file mode 100644 index 73bca31c7e158596252d0c5c527ec64905cd161d..0000000000000000000000000000000000000000 --- a/CVE-2021-45930.patch +++ /dev/null @@ -1,223 +0,0 @@ -From a3b753c2d077313fc9eb93af547051b956e383fc Mon Sep 17 00:00:00 2001 -From: Eirik Aavitsland -Date: Mon, 25 Oct 2021 14:17:55 +0200 -Subject: [PATCH] Do stricter error checking when parsing path nodes -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The SVG spec mandates that path parsing should terminate on the first -error encountered, and an error be reported. To improve the handling -of corrupt files, implement such error handling, and also limit the -number of QPainterPath elements to a reasonable range. - -Fixes: QTBUG-96044 -Change-Id: Ic5e65d6b658516d6f1317c72de365c8c7ad81891 -Reviewed-by: Allan Sandfeld Jensen -Reviewed-by: Robert Löhning -(cherry picked from commit 36cfd9efb9b22b891adee9c48d30202289cfa620) -Reviewed-by: Qt Cherry-pick Bot ---- - src/svg/qsvghandler.cpp | 59 +++++++++++++++++------------------------ - 1 file changed, 25 insertions(+), 34 deletions(-) - -diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp -index 08ee7819..db21d5f4 100644 ---- a/src/svg/qsvghandler.cpp -+++ b/src/svg/qsvghandler.cpp -@@ -1611,6 +1611,7 @@ static void pathArc(QPainterPath &path, - - static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - { -+ const int maxElementCount = 0x7fff; // Assume file corruption if more path elements than this - qreal x0 = 0, y0 = 0; // starting point - qreal x = 0, y = 0; // current point - char lastMode = 0; -@@ -1618,7 +1619,8 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - const QChar *str = dataStr.constData(); - const QChar *end = str + dataStr.size(); - -- while (str != end) { -+ bool ok = true; -+ while (ok && str != end) { - while (str->isSpace()) - ++str; - QChar pathElem = *str; -@@ -1632,14 +1634,13 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - arg.append(0);//dummy - const qreal *num = arg.constData(); - int count = arg.count(); -- while (count > 0) { -+ while (ok && count > 0) { - qreal offsetX = x; // correction offsets - qreal offsetY = y; // for relative commands - switch (pathElem.unicode()) { - case 'm': { - if (count < 2) { -- num++; -- count--; -+ ok = false; - break; - } - x = x0 = num[0] + offsetX; -@@ -1656,8 +1657,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - break; - case 'M': { - if (count < 2) { -- num++; -- count--; -+ ok = false; - break; - } - x = x0 = num[0]; -@@ -1683,8 +1683,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - break; - case 'l': { - if (count < 2) { -- num++; -- count--; -+ ok = false; - break; - } - x = num[0] + offsetX; -@@ -1697,8 +1696,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - break; - case 'L': { - if (count < 2) { -- num++; -- count--; -+ ok = false; - break; - } - x = num[0]; -@@ -1738,8 +1736,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - break; - case 'c': { - if (count < 6) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c1(num[0] + offsetX, num[1] + offsetY); -@@ -1755,8 +1752,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 'C': { - if (count < 6) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c1(num[0], num[1]); -@@ -1772,8 +1768,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 's': { - if (count < 4) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c1; -@@ -1794,8 +1789,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 'S': { - if (count < 4) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c1; -@@ -1816,8 +1810,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 'q': { - if (count < 4) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c(num[0] + offsetX, num[1] + offsetY); -@@ -1832,8 +1825,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 'Q': { - if (count < 4) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c(num[0], num[1]); -@@ -1848,8 +1840,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 't': { - if (count < 2) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF e(num[0] + offsetX, num[1] + offsetY); -@@ -1869,8 +1860,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 'T': { - if (count < 2) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF e(num[0], num[1]); -@@ -1890,8 +1880,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 'a': { - if (count < 7) { -- num += count; -- count = 0; -+ ok = false; - break; - } - qreal rx = (*num++); -@@ -1913,8 +1902,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - break; - case 'A': { - if (count < 7) { -- num += count; -- count = 0; -+ ok = false; - break; - } - qreal rx = (*num++); -@@ -1935,12 +1923,15 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - break; - default: -- return false; -+ ok = false; -+ break; - } - lastMode = pathElem.toLatin1(); -+ if (path.elementCount() > maxElementCount) -+ ok = false; - } - } -- return true; -+ return ok; - } - - static bool parseStyle(QSvgNode *node, -@@ -2976,8 +2967,8 @@ static QSvgNode *createPathNode(QSvgNode *parent, - - QPainterPath qpath; - qpath.setFillRule(Qt::WindingFill); -- //XXX do error handling -- parsePathDataFast(data, qpath); -+ if (!parsePathDataFast(data, qpath)) -+ qCWarning(lcSvgHandler, "Invalid path data; path truncated."); - - QSvgNode *path = new QSvgPath(parent, qpath); - return path; - - diff --git a/qt5-qtsvg.spec b/qt5-qtsvg.spec index f0bc0daa5583acf5a796c9853c6264a48f361679..bbae9396b98fd063329678b8f2b075e8b74e67fb 100644 --- a/qt5-qtsvg.spec +++ b/qt5-qtsvg.spec @@ -1,12 +1,14 @@ -Name: qt5-qtsvg -Version: 5.11.1 -Release: 6 -Summary: Qt GUI toolkit for rendering and displaying SVG -License: LGPLv2 with exceptions or GPLv3 with exceptions -Url: http://www.qt.io -Source0: https://download.qt.io/new_archive/qt/5.11/%{version}/submodules/qtsvg-everywhere-src-%{version}.tar.xz -Patch0001: qtsvg-opensource-src-5.6.0-beta1-example-install.patch -Patch0002: CVE-2021-45930.patch +Name: qt5-qtsvg +Version: 5.15.2 +Release: 1 +Summary: Qt GUI toolkit for rendering and displaying SVG +License: LGPLv2 with exceptions or GPLv3 with exceptions +Url: http://www.qt.io +%global majmin %(echo %{version} | cut -d. -f1-2) +Source0: https://download.qt.io/official_releases/qt/%{majmin}/%{version}/submodules/qtsvg-everywhere-src-%{version}.tar.xz +Patch0: qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch + +BuildRequires: make BuildRequires: qt5-qtbase-devel >= %{version} pkgconfig(zlib) qt5-qtbase-private-devel %{?_qt5:Requires: %{_qt5} = %{_qt5_version}} @@ -52,6 +54,7 @@ popd %dir %{_qt5_libdir}/cmake/Qt5Svg/ %{_qt5_libdir}/{libQt5Svg.so.5*,cmake/Qt5Svg/Qt5Svg_*Plugin.cmake} %{_qt5_plugindir}/{iconengines/libqsvgicon.so,imageformats/libqsvg.so} +%{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QSvg*Plugin.cmake %files devel %{_qt5_examplesdir}/ @@ -61,8 +64,11 @@ popd %{_qt5_archdatadir}/mkspecs/modules/qt_lib_svg*.pri %changelog -* Thu Jan 13 2022 wangkai - 5.11.1-6 -- Fix CVE-2021-45930 +* Wed Dec 29 2021 peijiankang - 5.15.2-1 +- update to upstream version 5.15.2 + +* Wed Dec 08 2021 liuxinhao - 5.11.1-6 +- Allow style without type attribute * Mon Sep 14 2020 liuweibo - 5.11.1-5 - Fix Source0 diff --git a/qt5-qtsvg.yaml b/qt5-qtsvg.yaml index 8c797f1133fcfc2c6534b24aefa67fb8c5197687..154a0c51dbc0ca537aa5059a81ed33ffdef69724 100644 --- a/qt5-qtsvg.yaml +++ b/qt5-qtsvg.yaml @@ -1,4 +1,4 @@ version_control: git src_repo: https://code.qt.io/qt/qtsvg.git -tag_prefix: ^v -seperator: . +tag_prefix: "^v" +separator: "." diff --git a/qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch b/qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch new file mode 100644 index 0000000000000000000000000000000000000000..83db8645c37fdc64d613a188140886d8aad125c2 --- /dev/null +++ b/qtsvg-5.15.2-clamp-parsed-doubles-to-float-representtable-values.patch @@ -0,0 +1,30 @@ +diff -up qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp.orig qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp +--- qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp.orig 2020-10-27 09:02:11.000000000 +0100 ++++ qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp 2021-03-09 17:48:50.187425243 +0100 +@@ -65,6 +65,7 @@ + #include "private/qmath_p.h" + + #include "float.h" ++#include + + QT_BEGIN_NAMESPACE + +@@ -672,6 +673,9 @@ static qreal toDouble(const QChar *&str) + val = -val; + } else { + val = QByteArray::fromRawData(temp, pos).toDouble(); ++ // Do not tolerate values too wild to be represented normally by floats ++ if (std::fpclassify(float(val)) != FP_NORMAL) ++ val = 0; + } + return val; + +@@ -3043,6 +3047,8 @@ static QSvgStyleProperty *createRadialGr + ncy = toDouble(cy); + if (!r.isEmpty()) + nr = toDouble(r); ++ if (nr < 0.5) ++ nr = 0.5; + + qreal nfx = ncx; + if (!fx.isEmpty()) diff --git a/qtsvg-everywhere-src-5.11.1.tar.xz b/qtsvg-everywhere-src-5.11.1.tar.xz deleted file mode 100644 index 9d71de09f4da7594fdf7c888dd8c30c500d18e40..0000000000000000000000000000000000000000 Binary files a/qtsvg-everywhere-src-5.11.1.tar.xz and /dev/null differ diff --git a/qtsvg-everywhere-src-5.15.2.tar.xz b/qtsvg-everywhere-src-5.15.2.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..eb11c2de0a05530e534bbc871c2bf1547da225bf Binary files /dev/null and b/qtsvg-everywhere-src-5.15.2.tar.xz differ diff --git a/qtsvg-opensource-src-5.6.0-beta1-example-install.patch b/qtsvg-opensource-src-5.6.0-beta1-example-install.patch deleted file mode 100644 index d2eb649fa5d2052dead40a2b83f68ac58012d368..0000000000000000000000000000000000000000 --- a/qtsvg-opensource-src-5.6.0-beta1-example-install.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/examples/svg/richtext/textobject/textobject.pro b/examples/svg/richtext/textobject/textobject.pro -index 8892ae7..f9ec7c6 100644 ---- a/examples/svg/richtext/textobject/textobject.pro -+++ b/examples/svg/richtext/textobject/textobject.pro -@@ -14,6 +14,6 @@ INSTALLS += target - - wince*{ - filesToDeploy.files = files/*.svg -- filesToDeploy.path = files -+ filesToDeploy.path = $$[QT_INSTALL_EXAMPLES]/svg/richtext/textobject/files - DEPLOYMENT += filesToDeploy - }