From 6f9acaca25c65c5d42f4b7a0544d768301f7bda8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BC=A0=E7=BF=BC?= Date: Wed, 13 Aug 2025 14:05:52 +0800 Subject: [PATCH] fix CVE-2025-1919 CVE-2025-0436 --- CVE-2025-0436.patch | 58 ++++++++++++++++++++++++++++++++ CVE-2025-1919.patch | 78 ++++++++++++++++++++++++++++++++++++++++++++ qt5-qtwebengine.spec | 13 +++++++- 3 files changed, 148 insertions(+), 1 deletion(-) create mode 100644 CVE-2025-0436.patch create mode 100644 CVE-2025-1919.patch diff --git a/CVE-2025-0436.patch b/CVE-2025-0436.patch new file mode 100644 index 0000000..0a6fffb --- /dev/null +++ b/CVE-2025-0436.patch @@ -0,0 +1,58 @@ +From 71ac0d61af2af32abf95a8ff31d243f72240916b Mon Sep 17 00:00:00 2001 +From: zhaoshun +Date: Tue, 29 Jul 2025 17:32:08 +0800 +Subject: [PATCH] CVE-2025-0436 + +--- + .../src/gpu/ops/GrAAHairLinePathRenderer.cpp | 23 +++++++++++++++---- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/src/3rdparty/chromium/third_party/skia/src/gpu/ops/GrAAHairLinePathRenderer.cpp b/src/3rdparty/chromium/third_party/skia/src/gpu/ops/GrAAHairLinePathRenderer.cpp +index c4ae781..a91eaac 100644 +--- a/src/3rdparty/chromium/third_party/skia/src/gpu/ops/GrAAHairLinePathRenderer.cpp ++++ b/src/3rdparty/chromium/third_party/skia/src/gpu/ops/GrAAHairLinePathRenderer.cpp +@@ -11,6 +11,7 @@ + #include "src/core/SkMatrixPriv.h" + #include "src/core/SkPointPriv.h" + #include "src/core/SkRectPriv.h" ++#include "src/core/SkSafeMath.h" + #include "src/core/SkStroke.h" + #include "src/gpu/GrAuditTrail.h" + #include "src/gpu/GrBuffer.h" +@@ -1189,16 +1190,28 @@ void AAHairlineOp::onPrepareDraws(Target* target) { + + int instanceCount = fPaths.count(); + bool convertConicsToQuads = !target->caps().shaderCaps()->floatIs32Bits(); +- for (int i = 0; i < instanceCount; i++) { ++ SkSafeMath safeMath; ++ for (int i = 0; i < instanceCount && safeMath.ok(); i++) { + const PathData& args = fPaths[i]; +- quadCount += gather_lines_and_quads(args.fPath, args.fViewMatrix, args.fDevClipBounds, +- args.fCapLength, convertConicsToQuads, &lines, &quads, +- &conics, &qSubdivs, &cWeights); ++ quadCount = safeMath.addInt(quadCount, ++ gather_lines_and_quads(args.fPath, ++ args.fViewMatrix, ++ args.fDevClipBounds, ++ args.fCapLength, ++ convertConicsToQuads, ++ &lines, ++ &quads, ++ &conics, ++ &qSubdivs, ++ &cWeights)); + } + + int lineCount = lines.count() / 2; + int conicCount = conics.count() / 3; +- int quadAndConicCount = conicCount + quadCount; ++ int quadAndConicCount = safeMath.addInt(conicCount, quadCount); ++ if (!safeMath.ok()) { ++ return; ++ } + + static constexpr int kMaxLines = SK_MaxS32 / kLineSegNumVertices; + static constexpr int kMaxQuadsAndConics = SK_MaxS32 / kQuadNumVertices; +-- +2.43.5 + diff --git a/CVE-2025-1919.patch b/CVE-2025-1919.patch new file mode 100644 index 0000000..7959215 --- /dev/null +++ b/CVE-2025-1919.patch @@ -0,0 +1,78 @@ +From 54214171fceb920a4037a70ece60d478cd43e2d3 Mon Sep 17 00:00:00 2001 +From: zhaoshun +Date: Tue, 29 Jul 2025 17:45:55 +0800 +Subject: [PATCH] CVE-2025-1919 + +--- + .../mojo/common/media_type_converters.cc | 28 +++++++++++++++---- + 1 file changed, 23 insertions(+), 5 deletions(-) + +diff --git a/src/3rdparty/chromium/media/mojo/common/media_type_converters.cc b/src/3rdparty/chromium/media/mojo/common/media_type_converters.cc +index 933774836..f9e3ecc46 100644 +--- a/src/3rdparty/chromium/media/mojo/common/media_type_converters.cc ++++ b/src/3rdparty/chromium/media/mojo/common/media_type_converters.cc +@@ -4,15 +4,15 @@ + + #include "media/mojo/common/media_type_converters.h" + +-#include +-#include + #include + + #include "base/logging.h" ++#include "base/numerics/checked_math.h" + #include "base/numerics/safe_conversions.h" + #include "media/base/audio_buffer.h" + #include "media/base/decoder_buffer.h" + #include "media/base/decrypt_config.h" ++#include "media/base/sample_format.h" + #include "media/base/subsample_entry.h" + #include "mojo/public/cpp/system/buffer.h" + +@@ -151,7 +151,7 @@ TypeConverter, media::mojom::AudioBufferPtr>:: + static_cast(input->channel_layout) > media::CHANNEL_LAYOUT_MAX || + ChannelLayoutToChannelCount(input->channel_layout) != + input->channel_count) { +- LOG(ERROR) << "Receive an invalid audio buffer, replace it with EOS."; ++ DLOG(ERROR) << "Receive an invalid audio buffer, replace it with EOS."; + return media::AudioBuffer::CreateEOSBuffer(); + } + +@@ -163,14 +163,32 @@ TypeConverter, media::mojom::AudioBufferPtr>:: + input->timestamp); + } + ++ // Safe to cast, since we already checked `sample_format` doesn't exceed ++ // media::kSampleFormatMax above. ++ const size_t bytes_per_channel = SampleFormatToBytesPerChannel( ++ static_cast(input->sample_format)); ++ ++ // `bytes_per_channel` could be 0 if we received a kUnknownFormat. In that ++ // case, and in the case of a overflow below, `min_data_size` will be 0, ++ // and we will return an EOS below. ++ const size_t min_data_size = ++ base::CheckMul(input->frame_count, ++ base::CheckMul(input->channel_count, bytes_per_channel)) ++ .ValueOrDefault(0u); ++ if (input->data.size() < min_data_size) { ++ DLOG(ERROR) << "Received invalid AudioBuffer, replace it with EOS."; ++ return media::AudioBuffer::CreateEOSBuffer(); ++ } ++ + // Setup channel pointers. AudioBuffer::CopyFrom() will only use the first + // one in the case of interleaved data. + std::vector channel_ptrs(input->channel_count, nullptr); + const size_t size_per_channel = input->data.size() / input->channel_count; + DCHECK_EQ(0u, input->data.size() % input->channel_count); +- for (int i = 0; i < input->channel_count; ++i) ++ for (int i = 0; i < input->channel_count; ++i) { + channel_ptrs[i] = input->data.data() + i * size_per_channel; +- ++ } ++ + return media::AudioBuffer::CopyFrom( + input->sample_format, input->channel_layout, input->channel_count, + input->sample_rate, input->frame_count, &channel_ptrs[0], +-- +2.43.5 + diff --git a/qt5-qtwebengine.spec b/qt5-qtwebengine.spec index 770e788..35eb2ec 100644 --- a/qt5-qtwebengine.spec +++ b/qt5-qtwebengine.spec @@ -52,7 +52,7 @@ Summary: Qt5 - QtWebEngine components Name: qt5-qtwebengine Version: 5.15.10 -Release: 6 +Release: 7 # See LICENSE.GPL LICENSE.LGPL LGPL_EXCEPTION.txt, for details # See also http://qt-project.org/doc/qt-5.0/qtdoc/licensing.html @@ -130,6 +130,11 @@ Patch1001: riscv-qt5-qtwebengine.patch Patch1002: qtwebengine-ffmpeg5.patch %endif +# https://code.qt.io/cgit/qt/qtwebengine-chromium.git/commit/?h=87-based&id=8882ed795a3dc6b489982f6d6869e5c22d3703ea +Patch6000: CVE-2025-0436.patch +# https://code.qt.io/cgit/qt/qtwebengine-chromium.git/commit/?h=87-based&id=3071e0f441112dee998a427e1827d7a2d91101a4 +Patch6001: CVE-2025-1919.patch + BuildRequires: make BuildRequires: qt5-qtbase-devel BuildRequires: qt5-qtbase-private-devel @@ -447,6 +452,9 @@ popd %patch1002 -p1 -b .qtwebengine-ffmpeg5 %endif +%patch6000 -p1 +%patch6001 -p1 + # delete all "toolprefix = " lines from build/toolchain/linux/BUILD.gn, as we # never cross-compile in native Fedora RPMs, fixes ARM and aarch64 FTBFS sed -i -e '/toolprefix = /d' -e 's/\${toolprefix}//g' \ @@ -665,6 +673,9 @@ done %changelog +* Wed Aug 13 2025 Zhang Yi - 5.15.10-7 +- fix up CVE-2025-0436 && CVE-2025-1919 + * Wed Apr 03 2024 misaka00251 - 5.15.10-6 - Migrate python 2 to python 3 & Fix build on riscv64 -- Gitee