From 96bb8e58628fe9263a87836a8b13a3486dd81a5e Mon Sep 17 00:00:00 2001
From: Funda Wang <fundawang@yeah.net>
Date: Sat, 7 Jun 2025 13:52:50 +0800
Subject: [PATCH] fix CVE-2025-5683

(cherry picked from commit 09fb0fc3bd5d67ea835a21348cbdc064b16579f6)
---
 CVE-2025-5683-qtimageformats-6.5.patch | 29 ++++++++++++++++++++++++++
 qt6-qtimageformats.spec                |  6 +++++-
 2 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2025-5683-qtimageformats-6.5.patch

diff --git a/CVE-2025-5683-qtimageformats-6.5.patch b/CVE-2025-5683-qtimageformats-6.5.patch
new file mode 100644
index 0000000..02c0438
--- /dev/null
+++ b/CVE-2025-5683-qtimageformats-6.5.patch
@@ -0,0 +1,29 @@
+diff --git a/src/plugins/imageformats/icns/qicnshandler.cpp b/src/plugins/imageformats/icns/qicnshandler.cpp
+index 02086cbf26c..207f7cd8393 100644
+--- a/src/plugins/imageformats/icns/qicnshandler.cpp
++++ b/src/plugins/imageformats/icns/qicnshandler.cpp
+@@ -323,8 +323,11 @@ static inline bool isPowOf2OrDividesBy16(quint32 u, qreal r)
+ 
+ static inline bool isBlockHeaderValid(const ICNSBlockHeader &header, quint64 bound = 0)
+ {
+-    return header.ostype != 0 && (bound == 0
+-                || qBound(quint64(ICNSBlockHeaderSize), quint64(header.length), bound) == header.length);
++    return header.ostype != 0 &&
++        (bound == 0 ||
++            // qBound can be used but requires checking the limits first
++            // this requires less operations
++            (ICNSBlockHeaderSize <= header.length && header.length <= bound));
+ }
+ 
+ static inline bool isIconCompressed(const ICNSEntry &icon)
+@@ -869,7 +872,7 @@ bool QICNSHandler::scanDevice()
+             return false;
+ 
+         const qint64 blockDataOffset = device()->pos();
+-        if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize + filelength - blockDataOffset)) {
++        if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize - blockDataOffset + filelength)) {
+             qWarning("QICNSHandler::scanDevice(): Failed, bad header at pos %s. OSType \"%s\", length %u",
+                      QByteArray::number(blockDataOffset).constData(),
+                      nameFromOSType(blockHeader.ostype).constData(), blockHeader.length);
+
+
diff --git a/qt6-qtimageformats.spec b/qt6-qtimageformats.spec
index 236f5d2..c8b2b3f 100644
--- a/qt6-qtimageformats.spec
+++ b/qt6-qtimageformats.spec
@@ -5,7 +5,7 @@
 Summary:          Qt6 - QtImageFormats component
 Name:             qt6-%{qt_module}
 Version:          6.5.2
-Release:          1
+Release:          2
 
 License:          LGPL-3.0-only OR GPL-3.0-only WITH Qt-GPL-exception-1.0
 Url:              http://www.qt.io
@@ -15,6 +15,7 @@ Url:              http://www.qt.io
 Source0:          https://download.qt.io/official_releases/qt/%{majmin}/%{version}/submodules/%{qt_module}-everywhere-src-%{version}.tar.xz
 
 Patch0:           qtimageformats-fix-build.patch
+Patch1:           CVE-2025-5683-qtimageformats-6.5.patch
 
 BuildRequires:    cmake
 BuildRequires:    gcc-c++
@@ -67,6 +68,9 @@ DESTDIR="%{buildroot}" cmake --install .
 
 
 %changelog
+* Sat Jun 07 2025 Funda Wang <fundawang@yeah.net> - 6.5.2-2
+- fix CVE-2025-5683
+
 * Tue Aug 08 2023 peijiankang <peijiankang@kylinos.cn> - 6.5.2-1
 - 6.5.2
 
-- 
Gitee