[meta-qt5,kirkstone] qt: CVE-2023-32763 Fix Integer overflow

Upstream-Status: Backport from https://download.qt.io/official_releases/qt/5.15/CVE-2023-32763-qtbase-5.15.diff

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 recipes-qt/qt5/qtbase/CVE-2023-32763.patch | 74 ++++++++++++++++++++++
 recipes-qt/qt5/qtbase_git.bb               |  1 +
 2 files changed, 75 insertions(+)
 create mode 100644 recipes-qt/qt5/qtbase/CVE-2023-32763.patch

Is this included in 5.15.9 release used in mickledore branch?

There is very little difference between kirkstone and mickledore now as qt5
is pretty much dead. So if it's fixed there I would prefer to merge most if
not all changes from mickledore to kirkstone.

And if it isn't fixed in mickledore/master yet, then it should be first
fixed there and then I can backport it with other changes.

On Wed, Jun 14, 2023 at 1:38 PM Hitendra Prajapati <hprajapati@mvista.com>
wrote:

> Upstream-Status: Backport from
> https://download.qt.io/official_releases/qt/5.15/CVE-2023-32763-qtbase-5.15.diff
>
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> ---
>  recipes-qt/qt5/qtbase/CVE-2023-32763.patch | 74 ++++++++++++++++++++++
>  recipes-qt/qt5/qtbase_git.bb               |  1 +
>  2 files changed, 75 insertions(+)
>  create mode 100644 recipes-qt/qt5/qtbase/CVE-2023-32763.patch
>
> diff --git a/recipes-qt/qt5/qtbase/CVE-2023-32763.patch
> b/recipes-qt/qt5/qtbase/CVE-2023-32763.patch
> new file mode 100644
> index 0000000..68a1fca
> --- /dev/null
> +++ b/recipes-qt/qt5/qtbase/CVE-2023-32763.patch
> @@ -0,0 +1,74 @@
> +From 7cc6296600ef436afaa9ed86d2f8a85869abf62a Mon Sep 17 00:00:00 2001
> +From: Allan Sandfeld Jensen <allan.jensen@qt.io>
> +Date: Fri, 5 May 2023 09:51:32 +0200
> +Subject: [PATCH] Fix specific overflow in qtextlayout
> +
> +Adds qAddOverflow and qMulOverflow definitions to QFixed
> +
> +Fixes: QTBUG-113337
> +Change-Id: I13579306defceaccdc0fbb1ec0e9b77c6f8d1af9
> +Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
> +Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
> +(cherry picked from commit 7b7a01c266b507636eab51a36328c7c72d82d93c)
> +Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
> +
> +Upstream-Status: Backport [
> https://download.qt.io/official_releases/qt/5.15/CVE-2023-32763-qtbase-5.15.diff
> ]
> +CVE: CVE-2023-32763
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + src/gui/painting/qfixed_p.h  | 9 +++++++++
> + src/gui/text/qtextlayout.cpp | 9 ++++++---
> + 2 files changed, 15 insertions(+), 3 deletions(-)
> +
> +diff --git a/src/gui/painting/qfixed_p.h b/src/gui/painting/qfixed_p.h
> +index 846592881c..57d750a4b3 100644
> +--- a/src/gui/painting/qfixed_p.h
> ++++ b/src/gui/painting/qfixed_p.h
> +@@ -54,6 +54,7 @@
> + #include <QtGui/private/qtguiglobal_p.h>
> + #include "QtCore/qdebug.h"
> + #include "QtCore/qpoint.h"
> ++#include <QtCore/private/qnumeric_p.h>
> + #include "QtCore/qsize.h"
> +
> + QT_BEGIN_NAMESPACE
> +@@ -182,6 +183,14 @@ Q_DECL_CONSTEXPR inline bool operator<(int i, const
> QFixed &f) { return i * 64 <
> + Q_DECL_CONSTEXPR inline bool operator>(const QFixed &f, int i) { return
> f.value() > i * 64; }
> + Q_DECL_CONSTEXPR inline bool operator>(int i, const QFixed &f) { return
> i * 64 > f.value(); }
> +
> ++inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
> ++{
> ++    int val;
> ++    bool result = add_overflow(v1.value(), v2.value(), &val);
> ++    r->setValue(val);
> ++    return result;
> ++}
> ++
> + #ifndef QT_NO_DEBUG_STREAM
> + inline QDebug &operator<<(QDebug &dbg, const QFixed &f)
> + { return dbg << f.toReal(); }
> +diff --git a/src/gui/text/qtextlayout.cpp b/src/gui/text/qtextlayout.cpp
> +index 26ac37b016..f6c69ff4a2 100644
> +--- a/src/gui/text/qtextlayout.cpp
> ++++ b/src/gui/text/qtextlayout.cpp
> +@@ -2150,11 +2150,14 @@ found:
> +         eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
> +     } else {
> +         eng->minWidth = qMax(eng->minWidth, lbh.minw);
> +-        eng->maxWidth += line.textWidth;
> ++        if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth))
> ++            eng->maxWidth = QFIXED_MAX;
> +     }
> +
> +-    if (line.textWidth > 0 && item < eng->layoutData->items.size())
> +-        eng->maxWidth += lbh.spaceData.textWidth;
> ++    if (line.textWidth > 0 && item < eng->layoutData->items.size()) {
> ++        if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth,
> &eng->maxWidth))
> ++            eng->maxWidth = QFIXED_MAX;
> ++    }
> +
> +     line.textWidth += trailingSpace;
> +     if (lbh.spaceData.length) {
> +--
> +2.25.1
> +
> diff --git a/recipes-qt/qt5/qtbase_git.bb b/recipes-qt/qt5/qtbase_git.bb
> index a5ce677..e8756cf 100644
> --- a/recipes-qt/qt5/qtbase_git.bb
> +++ b/recipes-qt/qt5/qtbase_git.bb
> @@ -38,6 +38,7 @@ SRC_URI += "\
>
>  file://0021-rcc-Just-dcument-file-name-without-full-path-to-redu.patch \
>      file://0022-testlib-don-t-track-the-build-or-source-directories.patch
> \
>      file://0023-zlib-Do-not-undefine-_FILE_OFFSET_BITS.patch \
> +    file://CVE-2023-32763.patch \
>  "
>
>  # Disable LTO for now, QT5 patches are being worked upstream, perhaps
> revisit with
> --
> 2.25.1
>
>

Hi,

It is not included in the 5.15.9 release used in mickledore.

I'll try to work on that branch .

On 14/06/23 19:50, Martin Jansa wrote:
> 5.15.9 release used in mickledor