From e008dba0dcac970a34d2edf128911961663a2727 Mon Sep 17 00:00:00 2001 From: Funda Wang Date: Thu, 12 Dec 2024 12:11:27 +0800 Subject: [PATCH] fix CVE-2023-45935, CVE-2024-25580 --- qt6-qtbase.spec | 7 +- qtbase6.5.2-CVE-2023-45935.patch | 38 ++++ qtbase6.5.2-CVE-2024-25580.patch | 325 +++++++++++++++++++++++++++++++ 3 files changed, 369 insertions(+), 1 deletion(-) create mode 100644 qtbase6.5.2-CVE-2023-45935.patch create mode 100644 qtbase6.5.2-CVE-2024-25580.patch diff --git a/qt6-qtbase.spec b/qt6-qtbase.spec index 5eea97a..9c289ae 100644 --- a/qt6-qtbase.spec +++ b/qt6-qtbase.spec @@ -27,7 +27,7 @@ BuildRequires: pkgconfig(libsystemd) Name: qt6-qtbase Summary: Qt6 - QtBase components Version: 6.5.2 -Release: 5 +Release: 7 License: LGPL-3.0-only OR GPL-3.0-only WITH Qt-GPL-exception-1.0 Url: http://qt-project.org/ @@ -90,6 +90,8 @@ Patch6003:qtbase6.5.1-CVE-2023-43114.patch Patch6004:qtbase6.5.2-CVE-2023-51714.patch Patch6005:qtbase6.5.2-CVE-2024-33861.patch Patch6006:qtbase6.5.2-CVE-2024-39936.patch +Patch6007:qtbase6.5.2-CVE-2023-45935.patch +Patch6008:qtbase6.5.2-CVE-2024-25580.patch # Do not check any files in %%{_qt6_plugindir}/platformthemes/ for requires. # Those themes are there for platform integration. If the required libraries are # not there, the platform to integrate with isn't either. Then Qt will just @@ -801,6 +803,9 @@ make check -k ||: %changelog +* Thu Dec 12 2024 Funda Wang - 6.5.2-7 +- fix CVE-2023-45935, CVE-2024-25580 + * Wed Dec 11 2024 Funda Wang - 6.5.2-5 - fix CVE-2024-33861, CVE-2024-39936 - add missing xcb plugin diff --git a/qtbase6.5.2-CVE-2023-45935.patch b/qtbase6.5.2-CVE-2023-45935.patch new file mode 100644 index 0000000..7e620cc --- /dev/null +++ b/qtbase6.5.2-CVE-2023-45935.patch @@ -0,0 +1,38 @@ +From 552e3b9b78c136aebedf0a591af04661f0dedbbf Mon Sep 17 00:00:00 2001 +From: Liang Qi +Date: Mon, 31 Jul 2023 05:35:11 +0200 +Subject: xcb: guard a pointer before usage + +in QXcbAtom::initializeAllAtoms(). + +See also the example in +https://manpages.debian.org/testing/libxcb-doc/xcb_intern_atom_reply.3.en.html + +Fixes: QTBUG-115599 +Pick-to: 6.6 6.5 6.2 +Change-Id: I6590fe1aa11deec7fef7ce6d8f5c49a71d636648 +Reviewed-by: Axel Spoerl +--- + src/plugins/platforms/xcb/qxcbatom.cpp | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/plugins/platforms/xcb/qxcbatom.cpp b/src/plugins/platforms/xcb/qxcbatom.cpp +index 09b1fe8a9d..a456c19490 100644 +--- a/src/plugins/platforms/xcb/qxcbatom.cpp ++++ b/src/plugins/platforms/xcb/qxcbatom.cpp +@@ -230,8 +230,10 @@ void QXcbAtom::initializeAllAtoms(xcb_connection_t *connection) { + + for (i = 0; i < QXcbAtom::NAtoms; ++i) { + xcb_intern_atom_reply_t *reply = xcb_intern_atom_reply(connection, cookies[i], nullptr); +- m_allAtoms[i] = reply->atom; +- free(reply); ++ if (reply) { ++ m_allAtoms[i] = reply->atom; ++ free(reply); ++ } + } + } + +-- +cgit v1.2.3 + diff --git a/qtbase6.5.2-CVE-2024-25580.patch b/qtbase6.5.2-CVE-2024-25580.patch new file mode 100644 index 0000000..13238af --- /dev/null +++ b/qtbase6.5.2-CVE-2024-25580.patch @@ -0,0 +1,325 @@ +diff --git a/src/gui/util/qktxhandler.cpp b/src/gui/util/qktxhandler.cpp +index ee5e879516..d52d6a8a3c 100644 +--- a/src/gui/util/qktxhandler.cpp ++++ b/src/gui/util/qktxhandler.cpp +@@ -41,7 +41,7 @@ struct KTXHeader { + quint32 bytesOfKeyValueData; + }; + +-static const quint32 qktxh_headerSize = sizeof(KTXHeader); ++static constexpr quint32 qktxh_headerSize = sizeof(KTXHeader); + + // Currently unused, declared for future reference + struct KTXKeyValuePairItem { +@@ -71,11 +71,24 @@ struct KTXMipmapLevel { + */ + }; + +-// Returns the nearest multiple of 'rounding' greater than or equal to 'value' +-constexpr quint32 withPadding(quint32 value, quint32 rounding) ++// Returns the nearest multiple of 4 greater than or equal to 'value' ++static const std::optional nearestMultipleOf4(quint32 value) + { +- Q_ASSERT(rounding > 1); +- return value + (rounding - 1) - ((value + (rounding - 1)) % rounding); ++ constexpr quint32 rounding = 4; ++ quint32 result = 0; ++ if (qAddOverflow(value, rounding - 1, &result)) ++ return std::nullopt; ++ result &= ~(rounding - 1); ++ return result; ++} ++ ++// Returns a view with prechecked bounds ++static QByteArrayView safeView(QByteArrayView view, quint32 start, quint32 length) ++{ ++ quint32 end = 0; ++ if (qAddOverflow(start, length, &end) || end > quint32(view.length())) ++ return {}; ++ return view.sliced(start, length); + } + + QKtxHandler::~QKtxHandler() = default; +@@ -83,8 +96,7 @@ QKtxHandler::~QKtxHandler() = default; + bool QKtxHandler::canRead(const QByteArray &suffix, const QByteArray &block) + { + Q_UNUSED(suffix); +- +- return (qstrncmp(block.constData(), ktxIdentifier, KTX_IDENTIFIER_LENGTH) == 0); ++ return block.startsWith(ktxIdentifier); + } + + QTextureFileData QKtxHandler::read() +@@ -93,55 +105,122 @@ QTextureFileData QKtxHandler::read() + return QTextureFileData(); + + const QByteArray buf = device()->readAll(); +- const quint32 dataSize = quint32(buf.size()); +- if (dataSize < qktxh_headerSize || !canRead(QByteArray(), buf)) { +- qCDebug(lcQtGuiTextureIO, "Invalid KTX file %s", logName().constData()); ++ if (buf.size() > std::numeric_limits::max()) { ++ qWarning(lcQtGuiTextureIO, "Too big KTX file %s", logName().constData()); ++ return QTextureFileData(); ++ } ++ ++ if (!canRead(QByteArray(), buf)) { ++ qWarning(lcQtGuiTextureIO, "Invalid KTX file %s", logName().constData()); + return QTextureFileData(); + } + +- const KTXHeader *header = reinterpret_cast(buf.data()); +- if (!checkHeader(*header)) { +- qCDebug(lcQtGuiTextureIO, "Unsupported KTX file format in %s", logName().constData()); ++ if (buf.size() < qsizetype(qktxh_headerSize)) { ++ qWarning(lcQtGuiTextureIO, "Invalid KTX header size in %s", logName().constData()); ++ return QTextureFileData(); ++ } ++ ++ KTXHeader header; ++ memcpy(&header, buf.data(), qktxh_headerSize); ++ if (!checkHeader(header)) { ++ qWarning(lcQtGuiTextureIO, "Unsupported KTX file format in %s", logName().constData()); + return QTextureFileData(); + } + + QTextureFileData texData; + texData.setData(buf); + +- texData.setSize(QSize(decode(header->pixelWidth), decode(header->pixelHeight))); +- texData.setGLFormat(decode(header->glFormat)); +- texData.setGLInternalFormat(decode(header->glInternalFormat)); +- texData.setGLBaseInternalFormat(decode(header->glBaseInternalFormat)); ++ texData.setSize(QSize(decode(header.pixelWidth), decode(header.pixelHeight))); ++ texData.setGLFormat(decode(header.glFormat)); ++ texData.setGLInternalFormat(decode(header.glInternalFormat)); ++ texData.setGLBaseInternalFormat(decode(header.glBaseInternalFormat)); + +- texData.setNumLevels(decode(header->numberOfMipmapLevels)); +- texData.setNumFaces(decode(header->numberOfFaces)); ++ texData.setNumLevels(decode(header.numberOfMipmapLevels)); ++ texData.setNumFaces(decode(header.numberOfFaces)); ++ ++ const quint32 bytesOfKeyValueData = decode(header.bytesOfKeyValueData); ++ quint32 headerKeyValueSize; ++ if (qAddOverflow(qktxh_headerSize, bytesOfKeyValueData, &headerKeyValueSize)) { ++ qWarning(lcQtGuiTextureIO, "Overflow in size of key value data in header of KTX file %s", ++ logName().constData()); ++ return QTextureFileData(); ++ } + +- const quint32 bytesOfKeyValueData = decode(header->bytesOfKeyValueData); +- if (qktxh_headerSize + bytesOfKeyValueData < quint64(buf.size())) // oob check +- texData.setKeyValueMetadata(decodeKeyValues( +- QByteArrayView(buf.data() + qktxh_headerSize, bytesOfKeyValueData))); +- quint32 offset = qktxh_headerSize + bytesOfKeyValueData; ++ if (headerKeyValueSize >= quint32(buf.size())) { ++ qWarning(lcQtGuiTextureIO, "OOB request in KTX file %s", logName().constData()); ++ return QTextureFileData(); ++ } ++ ++ // File contains key/values ++ if (bytesOfKeyValueData > 0) { ++ auto keyValueDataView = safeView(buf, qktxh_headerSize, bytesOfKeyValueData); ++ if (keyValueDataView.isEmpty()) { ++ qWarning(lcQtGuiTextureIO, "Invalid view in KTX file %s", logName().constData()); ++ return QTextureFileData(); ++ } ++ ++ auto keyValues = decodeKeyValues(keyValueDataView); ++ if (!keyValues) { ++ qWarning(lcQtGuiTextureIO, "Could not parse key values in KTX file %s", ++ logName().constData()); ++ return QTextureFileData(); ++ } ++ ++ texData.setKeyValueMetadata(*keyValues); ++ } ++ ++ // Technically, any number of levels is allowed but if the value is bigger than ++ // what is possible in KTX V2 (and what makes sense) we return an error. ++ // maxLevels = log2(max(width, height, depth)) ++ const int maxLevels = (sizeof(quint32) * 8) ++ - qCountLeadingZeroBits(std::max( ++ { header.pixelWidth, header.pixelHeight, header.pixelDepth })); ++ ++ if (texData.numLevels() > maxLevels) { ++ qWarning(lcQtGuiTextureIO, "Too many levels in KTX file %s", logName().constData()); ++ return QTextureFileData(); ++ } + +- constexpr int MAX_ITERATIONS = 32; // cap iterations in case of corrupt data ++ if (texData.numFaces() != 1 && texData.numFaces() != 6) { ++ qWarning(lcQtGuiTextureIO, "Invalid number of faces in KTX file %s", logName().constData()); ++ return QTextureFileData(); ++ } + +- for (int level = 0; level < qMin(texData.numLevels(), MAX_ITERATIONS); level++) { +- if (offset + sizeof(quint32) > dataSize) // Corrupt file; avoid oob read +- break; ++ quint32 offset = headerKeyValueSize; ++ for (int level = 0; level < texData.numLevels(); level++) { ++ const auto imageSizeView = safeView(buf, offset, sizeof(quint32)); ++ if (imageSizeView.isEmpty()) { ++ qWarning(lcQtGuiTextureIO, "OOB request in KTX file %s", logName().constData()); ++ return QTextureFileData(); ++ } + +- const quint32 imageSize = decode(qFromUnaligned(buf.data() + offset)); +- offset += sizeof(quint32); ++ const quint32 imageSize = decode(qFromUnaligned(imageSizeView.data())); ++ offset += sizeof(quint32); // overflow checked indirectly above + +- for (int face = 0; face < qMin(texData.numFaces(), MAX_ITERATIONS); face++) { ++ for (int face = 0; face < texData.numFaces(); face++) { + texData.setDataOffset(offset, level, face); + texData.setDataLength(imageSize, level, face); + + // Add image data and padding to offset +- offset += withPadding(imageSize, 4); ++ const auto padded = nearestMultipleOf4(imageSize); ++ if (!padded) { ++ qWarning(lcQtGuiTextureIO, "Overflow in KTX file %s", logName().constData()); ++ return QTextureFileData(); ++ } ++ ++ quint32 offsetNext; ++ if (qAddOverflow(offset, *padded, &offsetNext)) { ++ qWarning(lcQtGuiTextureIO, "OOB request in KTX file %s", logName().constData()); ++ return QTextureFileData(); ++ } ++ ++ offset = offsetNext; + } + } + + if (!texData.isValid()) { +- qCDebug(lcQtGuiTextureIO, "Invalid values in header of KTX file %s", logName().constData()); ++ qWarning(lcQtGuiTextureIO, "Invalid values in header of KTX file %s", ++ logName().constData()); + return QTextureFileData(); + } + +@@ -187,33 +266,83 @@ bool QKtxHandler::checkHeader(const KTXHeader &header) + return is2D && (isCubeMap || isCompressedImage); + } + +-QMap QKtxHandler::decodeKeyValues(QByteArrayView view) const ++std::optional> QKtxHandler::decodeKeyValues(QByteArrayView view) const + { + QMap output; + quint32 offset = 0; +- while (offset < view.size() + sizeof(quint32)) { ++ while (offset < quint32(view.size())) { ++ const auto keyAndValueByteSizeView = safeView(view, offset, sizeof(quint32)); ++ if (keyAndValueByteSizeView.isEmpty()) { ++ qWarning(lcQtGuiTextureIO, "Invalid view in KTX key-value"); ++ return std::nullopt; ++ } ++ + const quint32 keyAndValueByteSize = +- decode(qFromUnaligned(view.constData() + offset)); +- offset += sizeof(quint32); ++ decode(qFromUnaligned(keyAndValueByteSizeView.data())); + +- if (offset + keyAndValueByteSize > quint64(view.size())) +- break; // oob read ++ quint32 offsetKeyAndValueStart; ++ if (qAddOverflow(offset, quint32(sizeof(quint32)), &offsetKeyAndValueStart)) { ++ qWarning(lcQtGuiTextureIO, "Overflow in KTX key-value"); ++ return std::nullopt; ++ } ++ ++ quint32 offsetKeyAndValueEnd; ++ if (qAddOverflow(offsetKeyAndValueStart, keyAndValueByteSize, &offsetKeyAndValueEnd)) { ++ qWarning(lcQtGuiTextureIO, "Overflow in KTX key-value"); ++ return std::nullopt; ++ } ++ ++ const auto keyValueView = safeView(view, offsetKeyAndValueStart, keyAndValueByteSize); ++ if (keyValueView.isEmpty()) { ++ qWarning(lcQtGuiTextureIO, "Invalid view in KTX key-value"); ++ return std::nullopt; ++ } + + // 'key' is a UTF-8 string ending with a null terminator, 'value' is the rest. + // To separate the key and value we convert the complete data to utf-8 and find the first + // null terminator from the left, here we split the data into two. +- const auto str = QString::fromUtf8(view.constData() + offset, keyAndValueByteSize); +- const int idx = str.indexOf('\0'_L1); +- if (idx == -1) +- continue; +- +- const QByteArray key = str.left(idx).toUtf8(); +- const size_t keySize = key.size() + 1; // Actual data size +- const QByteArray value = QByteArray::fromRawData(view.constData() + offset + keySize, +- keyAndValueByteSize - keySize); +- +- offset = withPadding(offset + keyAndValueByteSize, 4); +- output.insert(key, value); ++ ++ const int idx = keyValueView.indexOf('\0'); ++ if (idx == -1) { ++ qWarning(lcQtGuiTextureIO, "Invalid key in KTX key-value"); ++ return std::nullopt; ++ } ++ ++ const QByteArrayView keyView = safeView(view, offsetKeyAndValueStart, idx); ++ if (keyView.isEmpty()) { ++ qWarning(lcQtGuiTextureIO, "Overflow in KTX key-value"); ++ return std::nullopt; ++ } ++ ++ const quint32 keySize = idx + 1; // Actual data size ++ ++ quint32 offsetValueStart; ++ if (qAddOverflow(offsetKeyAndValueStart, keySize, &offsetValueStart)) { ++ qWarning(lcQtGuiTextureIO, "Overflow in KTX key-value"); ++ return std::nullopt; ++ } ++ ++ quint32 valueSize; ++ if (qSubOverflow(keyAndValueByteSize, keySize, &valueSize)) { ++ qWarning(lcQtGuiTextureIO, "Underflow in KTX key-value"); ++ return std::nullopt; ++ } ++ ++ const QByteArrayView valueView = safeView(view, offsetValueStart, valueSize); ++ if (valueView.isEmpty()) { ++ qWarning(lcQtGuiTextureIO, "Invalid view in KTX key-value"); ++ return std::nullopt; ++ } ++ ++ output.insert(keyView.toByteArray(), valueView.toByteArray()); ++ ++ const auto offsetNext = nearestMultipleOf4(offsetKeyAndValueEnd); ++ if (!offsetNext) { ++ qWarning(lcQtGuiTextureIO, "Overflow in KTX key-value"); ++ return std::nullopt; ++ } ++ ++ offset = *offsetNext; + } + + return output; +diff --git a/src/gui/util/qktxhandler_p.h b/src/gui/util/qktxhandler_p.h +index 0fd2487393..1142aa8dc0 100644 +--- a/src/gui/util/qktxhandler_p.h ++++ b/src/gui/util/qktxhandler_p.h +@@ -17,6 +17,8 @@ + + #include "qtexturefilehandler_p.h" + ++#include ++ + QT_BEGIN_NAMESPACE + + struct KTXHeader; +@@ -33,7 +35,7 @@ public: + + private: + bool checkHeader(const KTXHeader &header); +- QMap decodeKeyValues(QByteArrayView view) const; ++ std::optional> decodeKeyValues(QByteArrayView view) const; + quint32 decode(quint32 val) const; + + bool inverseEndian = false; -- Gitee