Message ID | 20230614113800.34975-1-hprajapati@mvista.com |
---|---|
State | New |
Headers | show |
Series | [meta-qt5,kirkstone] qt: CVE-2023-32763 Fix Integer overflow | expand |
Is this included in 5.15.9 release used in mickledore branch? There is very little difference between kirkstone and mickledore now as qt5 is pretty much dead. So if it's fixed there I would prefer to merge most if not all changes from mickledore to kirkstone. And if it isn't fixed in mickledore/master yet, then it should be first fixed there and then I can backport it with other changes. On Wed, Jun 14, 2023 at 1:38 PM Hitendra Prajapati <hprajapati@mvista.com> wrote: > Upstream-Status: Backport from > https://download.qt.io/official_releases/qt/5.15/CVE-2023-32763-qtbase-5.15.diff > > Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > --- > recipes-qt/qt5/qtbase/CVE-2023-32763.patch | 74 ++++++++++++++++++++++ > recipes-qt/qt5/qtbase_git.bb | 1 + > 2 files changed, 75 insertions(+) > create mode 100644 recipes-qt/qt5/qtbase/CVE-2023-32763.patch > > diff --git a/recipes-qt/qt5/qtbase/CVE-2023-32763.patch > b/recipes-qt/qt5/qtbase/CVE-2023-32763.patch > new file mode 100644 > index 0000000..68a1fca > --- /dev/null > +++ b/recipes-qt/qt5/qtbase/CVE-2023-32763.patch > @@ -0,0 +1,74 @@ > +From 7cc6296600ef436afaa9ed86d2f8a85869abf62a Mon Sep 17 00:00:00 2001 > +From: Allan Sandfeld Jensen <allan.jensen@qt.io> > +Date: Fri, 5 May 2023 09:51:32 +0200 > +Subject: [PATCH] Fix specific overflow in qtextlayout > + > +Adds qAddOverflow and qMulOverflow definitions to QFixed > + > +Fixes: QTBUG-113337 > +Change-Id: I13579306defceaccdc0fbb1ec0e9b77c6f8d1af9 > +Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io> > +Reviewed-by: Thiago Macieira <thiago.macieira@intel.com> > +(cherry picked from commit 7b7a01c266b507636eab51a36328c7c72d82d93c) > +Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> > + > +Upstream-Status: Backport [ > https://download.qt.io/official_releases/qt/5.15/CVE-2023-32763-qtbase-5.15.diff > ] > +CVE: CVE-2023-32763 > +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > +--- > + src/gui/painting/qfixed_p.h | 9 +++++++++ > + src/gui/text/qtextlayout.cpp | 9 ++++++--- > + 2 files changed, 15 insertions(+), 3 deletions(-) > + > +diff --git a/src/gui/painting/qfixed_p.h b/src/gui/painting/qfixed_p.h > +index 846592881c..57d750a4b3 100644 > +--- a/src/gui/painting/qfixed_p.h > ++++ b/src/gui/painting/qfixed_p.h > +@@ -54,6 +54,7 @@ > + #include <QtGui/private/qtguiglobal_p.h> > + #include "QtCore/qdebug.h" > + #include "QtCore/qpoint.h" > ++#include <QtCore/private/qnumeric_p.h> > + #include "QtCore/qsize.h" > + > + QT_BEGIN_NAMESPACE > +@@ -182,6 +183,14 @@ Q_DECL_CONSTEXPR inline bool operator<(int i, const > QFixed &f) { return i * 64 < > + Q_DECL_CONSTEXPR inline bool operator>(const QFixed &f, int i) { return > f.value() > i * 64; } > + Q_DECL_CONSTEXPR inline bool operator>(int i, const QFixed &f) { return > i * 64 > f.value(); } > + > ++inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r) > ++{ > ++ int val; > ++ bool result = add_overflow(v1.value(), v2.value(), &val); > ++ r->setValue(val); > ++ return result; > ++} > ++ > + #ifndef QT_NO_DEBUG_STREAM > + inline QDebug &operator<<(QDebug &dbg, const QFixed &f) > + { return dbg << f.toReal(); } > +diff --git a/src/gui/text/qtextlayout.cpp b/src/gui/text/qtextlayout.cpp > +index 26ac37b016..f6c69ff4a2 100644 > +--- a/src/gui/text/qtextlayout.cpp > ++++ b/src/gui/text/qtextlayout.cpp > +@@ -2150,11 +2150,14 @@ found: > + eng->maxWidth = qMax(eng->maxWidth, line.textWidth); > + } else { > + eng->minWidth = qMax(eng->minWidth, lbh.minw); > +- eng->maxWidth += line.textWidth; > ++ if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth)) > ++ eng->maxWidth = QFIXED_MAX; > + } > + > +- if (line.textWidth > 0 && item < eng->layoutData->items.size()) > +- eng->maxWidth += lbh.spaceData.textWidth; > ++ if (line.textWidth > 0 && item < eng->layoutData->items.size()) { > ++ if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, > &eng->maxWidth)) > ++ eng->maxWidth = QFIXED_MAX; > ++ } > + > + line.textWidth += trailingSpace; > + if (lbh.spaceData.length) { > +-- > +2.25.1 > + > diff --git a/recipes-qt/qt5/qtbase_git.bb b/recipes-qt/qt5/qtbase_git.bb > index a5ce677..e8756cf 100644 > --- a/recipes-qt/qt5/qtbase_git.bb > +++ b/recipes-qt/qt5/qtbase_git.bb > @@ -38,6 +38,7 @@ SRC_URI += "\ > > file://0021-rcc-Just-dcument-file-name-without-full-path-to-redu.patch \ > file://0022-testlib-don-t-track-the-build-or-source-directories.patch > \ > file://0023-zlib-Do-not-undefine-_FILE_OFFSET_BITS.patch \ > + file://CVE-2023-32763.patch \ > " > > # Disable LTO for now, QT5 patches are being worked upstream, perhaps > revisit with > -- > 2.25.1 > >
Hi,
It is not included in the 5.15.9 release used in mickledore.
I'll try to work on that branch .
On 14/06/23 19:50, Martin Jansa wrote:
> 5.15.9 release used in mickledor
diff --git a/recipes-qt/qt5/qtbase/CVE-2023-32763.patch b/recipes-qt/qt5/qtbase/CVE-2023-32763.patch new file mode 100644 index 0000000..68a1fca --- /dev/null +++ b/recipes-qt/qt5/qtbase/CVE-2023-32763.patch @@ -0,0 +1,74 @@ +From 7cc6296600ef436afaa9ed86d2f8a85869abf62a Mon Sep 17 00:00:00 2001 +From: Allan Sandfeld Jensen <allan.jensen@qt.io> +Date: Fri, 5 May 2023 09:51:32 +0200 +Subject: [PATCH] Fix specific overflow in qtextlayout + +Adds qAddOverflow and qMulOverflow definitions to QFixed + +Fixes: QTBUG-113337 +Change-Id: I13579306defceaccdc0fbb1ec0e9b77c6f8d1af9 +Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io> +Reviewed-by: Thiago Macieira <thiago.macieira@intel.com> +(cherry picked from commit 7b7a01c266b507636eab51a36328c7c72d82d93c) +Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> + +Upstream-Status: Backport [https://download.qt.io/official_releases/qt/5.15/CVE-2023-32763-qtbase-5.15.diff] +CVE: CVE-2023-32763 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/gui/painting/qfixed_p.h | 9 +++++++++ + src/gui/text/qtextlayout.cpp | 9 ++++++--- + 2 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/src/gui/painting/qfixed_p.h b/src/gui/painting/qfixed_p.h +index 846592881c..57d750a4b3 100644 +--- a/src/gui/painting/qfixed_p.h ++++ b/src/gui/painting/qfixed_p.h +@@ -54,6 +54,7 @@ + #include <QtGui/private/qtguiglobal_p.h> + #include "QtCore/qdebug.h" + #include "QtCore/qpoint.h" ++#include <QtCore/private/qnumeric_p.h> + #include "QtCore/qsize.h" + + QT_BEGIN_NAMESPACE +@@ -182,6 +183,14 @@ Q_DECL_CONSTEXPR inline bool operator<(int i, const QFixed &f) { return i * 64 < + Q_DECL_CONSTEXPR inline bool operator>(const QFixed &f, int i) { return f.value() > i * 64; } + Q_DECL_CONSTEXPR inline bool operator>(int i, const QFixed &f) { return i * 64 > f.value(); } + ++inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r) ++{ ++ int val; ++ bool result = add_overflow(v1.value(), v2.value(), &val); ++ r->setValue(val); ++ return result; ++} ++ + #ifndef QT_NO_DEBUG_STREAM + inline QDebug &operator<<(QDebug &dbg, const QFixed &f) + { return dbg << f.toReal(); } +diff --git a/src/gui/text/qtextlayout.cpp b/src/gui/text/qtextlayout.cpp +index 26ac37b016..f6c69ff4a2 100644 +--- a/src/gui/text/qtextlayout.cpp ++++ b/src/gui/text/qtextlayout.cpp +@@ -2150,11 +2150,14 @@ found: + eng->maxWidth = qMax(eng->maxWidth, line.textWidth); + } else { + eng->minWidth = qMax(eng->minWidth, lbh.minw); +- eng->maxWidth += line.textWidth; ++ if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth)) ++ eng->maxWidth = QFIXED_MAX; + } + +- if (line.textWidth > 0 && item < eng->layoutData->items.size()) +- eng->maxWidth += lbh.spaceData.textWidth; ++ if (line.textWidth > 0 && item < eng->layoutData->items.size()) { ++ if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, &eng->maxWidth)) ++ eng->maxWidth = QFIXED_MAX; ++ } + + line.textWidth += trailingSpace; + if (lbh.spaceData.length) { +-- +2.25.1 + diff --git a/recipes-qt/qt5/qtbase_git.bb b/recipes-qt/qt5/qtbase_git.bb index a5ce677..e8756cf 100644 --- a/recipes-qt/qt5/qtbase_git.bb +++ b/recipes-qt/qt5/qtbase_git.bb @@ -38,6 +38,7 @@ SRC_URI += "\ file://0021-rcc-Just-dcument-file-name-without-full-path-to-redu.patch \ file://0022-testlib-don-t-track-the-build-or-source-directories.patch \ file://0023-zlib-Do-not-undefine-_FILE_OFFSET_BITS.patch \ + file://CVE-2023-32763.patch \ " # Disable LTO for now, QT5 patches are being worked upstream, perhaps revisit with
Upstream-Status: Backport from https://download.qt.io/official_releases/qt/5.15/CVE-2023-32763-qtbase-5.15.diff Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- recipes-qt/qt5/qtbase/CVE-2023-32763.patch | 74 ++++++++++++++++++++++ recipes-qt/qt5/qtbase_git.bb | 1 + 2 files changed, 75 insertions(+) create mode 100644 recipes-qt/qt5/qtbase/CVE-2023-32763.patch