* [meta-qt5][kirkstone][PATCH] qt: CVE-2023-32763 Fix Integer overflow
@ 2023-06-14 11:38 Hitendra Prajapati
2023-06-14 14:20 ` Martin Jansa
0 siblings, 1 reply; 3+ messages in thread
From: Hitendra Prajapati @ 2023-06-14 11:38 UTC (permalink / raw)
To: openembedded-devel; +Cc: martin.jansa, Hitendra Prajapati
Upstream-Status: Backport from https://download.qt.io/official_releases/qt/5.15/CVE-2023-32763-qtbase-5.15.diff
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
recipes-qt/qt5/qtbase/CVE-2023-32763.patch | 74 ++++++++++++++++++++++
recipes-qt/qt5/qtbase_git.bb | 1 +
2 files changed, 75 insertions(+)
create mode 100644 recipes-qt/qt5/qtbase/CVE-2023-32763.patch
diff --git a/recipes-qt/qt5/qtbase/CVE-2023-32763.patch b/recipes-qt/qt5/qtbase/CVE-2023-32763.patch
new file mode 100644
index 0000000..68a1fca
--- /dev/null
+++ b/recipes-qt/qt5/qtbase/CVE-2023-32763.patch
@@ -0,0 +1,74 @@
+From 7cc6296600ef436afaa9ed86d2f8a85869abf62a Mon Sep 17 00:00:00 2001
+From: Allan Sandfeld Jensen <allan.jensen@qt.io>
+Date: Fri, 5 May 2023 09:51:32 +0200
+Subject: [PATCH] Fix specific overflow in qtextlayout
+
+Adds qAddOverflow and qMulOverflow definitions to QFixed
+
+Fixes: QTBUG-113337
+Change-Id: I13579306defceaccdc0fbb1ec0e9b77c6f8d1af9
+Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
+Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
+(cherry picked from commit 7b7a01c266b507636eab51a36328c7c72d82d93c)
+Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
+
+Upstream-Status: Backport [https://download.qt.io/official_releases/qt/5.15/CVE-2023-32763-qtbase-5.15.diff]
+CVE: CVE-2023-32763
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/gui/painting/qfixed_p.h | 9 +++++++++
+ src/gui/text/qtextlayout.cpp | 9 ++++++---
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/src/gui/painting/qfixed_p.h b/src/gui/painting/qfixed_p.h
+index 846592881c..57d750a4b3 100644
+--- a/src/gui/painting/qfixed_p.h
++++ b/src/gui/painting/qfixed_p.h
+@@ -54,6 +54,7 @@
+ #include <QtGui/private/qtguiglobal_p.h>
+ #include "QtCore/qdebug.h"
+ #include "QtCore/qpoint.h"
++#include <QtCore/private/qnumeric_p.h>
+ #include "QtCore/qsize.h"
+
+ QT_BEGIN_NAMESPACE
+@@ -182,6 +183,14 @@ Q_DECL_CONSTEXPR inline bool operator<(int i, const QFixed &f) { return i * 64 <
+ Q_DECL_CONSTEXPR inline bool operator>(const QFixed &f, int i) { return f.value() > i * 64; }
+ Q_DECL_CONSTEXPR inline bool operator>(int i, const QFixed &f) { return i * 64 > f.value(); }
+
++inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
++{
++ int val;
++ bool result = add_overflow(v1.value(), v2.value(), &val);
++ r->setValue(val);
++ return result;
++}
++
+ #ifndef QT_NO_DEBUG_STREAM
+ inline QDebug &operator<<(QDebug &dbg, const QFixed &f)
+ { return dbg << f.toReal(); }
+diff --git a/src/gui/text/qtextlayout.cpp b/src/gui/text/qtextlayout.cpp
+index 26ac37b016..f6c69ff4a2 100644
+--- a/src/gui/text/qtextlayout.cpp
++++ b/src/gui/text/qtextlayout.cpp
+@@ -2150,11 +2150,14 @@ found:
+ eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
+ } else {
+ eng->minWidth = qMax(eng->minWidth, lbh.minw);
+- eng->maxWidth += line.textWidth;
++ if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth))
++ eng->maxWidth = QFIXED_MAX;
+ }
+
+- if (line.textWidth > 0 && item < eng->layoutData->items.size())
+- eng->maxWidth += lbh.spaceData.textWidth;
++ if (line.textWidth > 0 && item < eng->layoutData->items.size()) {
++ if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, &eng->maxWidth))
++ eng->maxWidth = QFIXED_MAX;
++ }
+
+ line.textWidth += trailingSpace;
+ if (lbh.spaceData.length) {
+--
+2.25.1
+
diff --git a/recipes-qt/qt5/qtbase_git.bb b/recipes-qt/qt5/qtbase_git.bb
index a5ce677..e8756cf 100644
--- a/recipes-qt/qt5/qtbase_git.bb
+++ b/recipes-qt/qt5/qtbase_git.bb
@@ -38,6 +38,7 @@ SRC_URI += "\
file://0021-rcc-Just-dcument-file-name-without-full-path-to-redu.patch \
file://0022-testlib-don-t-track-the-build-or-source-directories.patch \
file://0023-zlib-Do-not-undefine-_FILE_OFFSET_BITS.patch \
+ file://CVE-2023-32763.patch \
"
# Disable LTO for now, QT5 patches are being worked upstream, perhaps revisit with
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [meta-qt5][kirkstone][PATCH] qt: CVE-2023-32763 Fix Integer overflow
2023-06-14 11:38 [meta-qt5][kirkstone][PATCH] qt: CVE-2023-32763 Fix Integer overflow Hitendra Prajapati
@ 2023-06-14 14:20 ` Martin Jansa
2023-06-15 3:29 ` Hitendra Prajapati
0 siblings, 1 reply; 3+ messages in thread
From: Martin Jansa @ 2023-06-14 14:20 UTC (permalink / raw)
To: Hitendra Prajapati; +Cc: openembedded-devel
[-- Attachment #1: Type: text/plain, Size: 4894 bytes --]
Is this included in 5.15.9 release used in mickledore branch?
There is very little difference between kirkstone and mickledore now as qt5
is pretty much dead. So if it's fixed there I would prefer to merge most if
not all changes from mickledore to kirkstone.
And if it isn't fixed in mickledore/master yet, then it should be first
fixed there and then I can backport it with other changes.
On Wed, Jun 14, 2023 at 1:38 PM Hitendra Prajapati <hprajapati@mvista.com>
wrote:
> Upstream-Status: Backport from
> https://download.qt.io/official_releases/qt/5.15/CVE-2023-32763-qtbase-5.15.diff
>
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> ---
> recipes-qt/qt5/qtbase/CVE-2023-32763.patch | 74 ++++++++++++++++++++++
> recipes-qt/qt5/qtbase_git.bb | 1 +
> 2 files changed, 75 insertions(+)
> create mode 100644 recipes-qt/qt5/qtbase/CVE-2023-32763.patch
>
> diff --git a/recipes-qt/qt5/qtbase/CVE-2023-32763.patch
> b/recipes-qt/qt5/qtbase/CVE-2023-32763.patch
> new file mode 100644
> index 0000000..68a1fca
> --- /dev/null
> +++ b/recipes-qt/qt5/qtbase/CVE-2023-32763.patch
> @@ -0,0 +1,74 @@
> +From 7cc6296600ef436afaa9ed86d2f8a85869abf62a Mon Sep 17 00:00:00 2001
> +From: Allan Sandfeld Jensen <allan.jensen@qt.io>
> +Date: Fri, 5 May 2023 09:51:32 +0200
> +Subject: [PATCH] Fix specific overflow in qtextlayout
> +
> +Adds qAddOverflow and qMulOverflow definitions to QFixed
> +
> +Fixes: QTBUG-113337
> +Change-Id: I13579306defceaccdc0fbb1ec0e9b77c6f8d1af9
> +Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
> +Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
> +(cherry picked from commit 7b7a01c266b507636eab51a36328c7c72d82d93c)
> +Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
> +
> +Upstream-Status: Backport [
> https://download.qt.io/official_releases/qt/5.15/CVE-2023-32763-qtbase-5.15.diff
> ]
> +CVE: CVE-2023-32763
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + src/gui/painting/qfixed_p.h | 9 +++++++++
> + src/gui/text/qtextlayout.cpp | 9 ++++++---
> + 2 files changed, 15 insertions(+), 3 deletions(-)
> +
> +diff --git a/src/gui/painting/qfixed_p.h b/src/gui/painting/qfixed_p.h
> +index 846592881c..57d750a4b3 100644
> +--- a/src/gui/painting/qfixed_p.h
> ++++ b/src/gui/painting/qfixed_p.h
> +@@ -54,6 +54,7 @@
> + #include <QtGui/private/qtguiglobal_p.h>
> + #include "QtCore/qdebug.h"
> + #include "QtCore/qpoint.h"
> ++#include <QtCore/private/qnumeric_p.h>
> + #include "QtCore/qsize.h"
> +
> + QT_BEGIN_NAMESPACE
> +@@ -182,6 +183,14 @@ Q_DECL_CONSTEXPR inline bool operator<(int i, const
> QFixed &f) { return i * 64 <
> + Q_DECL_CONSTEXPR inline bool operator>(const QFixed &f, int i) { return
> f.value() > i * 64; }
> + Q_DECL_CONSTEXPR inline bool operator>(int i, const QFixed &f) { return
> i * 64 > f.value(); }
> +
> ++inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
> ++{
> ++ int val;
> ++ bool result = add_overflow(v1.value(), v2.value(), &val);
> ++ r->setValue(val);
> ++ return result;
> ++}
> ++
> + #ifndef QT_NO_DEBUG_STREAM
> + inline QDebug &operator<<(QDebug &dbg, const QFixed &f)
> + { return dbg << f.toReal(); }
> +diff --git a/src/gui/text/qtextlayout.cpp b/src/gui/text/qtextlayout.cpp
> +index 26ac37b016..f6c69ff4a2 100644
> +--- a/src/gui/text/qtextlayout.cpp
> ++++ b/src/gui/text/qtextlayout.cpp
> +@@ -2150,11 +2150,14 @@ found:
> + eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
> + } else {
> + eng->minWidth = qMax(eng->minWidth, lbh.minw);
> +- eng->maxWidth += line.textWidth;
> ++ if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth))
> ++ eng->maxWidth = QFIXED_MAX;
> + }
> +
> +- if (line.textWidth > 0 && item < eng->layoutData->items.size())
> +- eng->maxWidth += lbh.spaceData.textWidth;
> ++ if (line.textWidth > 0 && item < eng->layoutData->items.size()) {
> ++ if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth,
> &eng->maxWidth))
> ++ eng->maxWidth = QFIXED_MAX;
> ++ }
> +
> + line.textWidth += trailingSpace;
> + if (lbh.spaceData.length) {
> +--
> +2.25.1
> +
> diff --git a/recipes-qt/qt5/qtbase_git.bb b/recipes-qt/qt5/qtbase_git.bb
> index a5ce677..e8756cf 100644
> --- a/recipes-qt/qt5/qtbase_git.bb
> +++ b/recipes-qt/qt5/qtbase_git.bb
> @@ -38,6 +38,7 @@ SRC_URI += "\
>
> file://0021-rcc-Just-dcument-file-name-without-full-path-to-redu.patch \
> file://0022-testlib-don-t-track-the-build-or-source-directories.patch
> \
> file://0023-zlib-Do-not-undefine-_FILE_OFFSET_BITS.patch \
> + file://CVE-2023-32763.patch \
> "
>
> # Disable LTO for now, QT5 patches are being worked upstream, perhaps
> revisit with
> --
> 2.25.1
>
>
[-- Attachment #2: Type: text/html, Size: 6687 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [meta-qt5][kirkstone][PATCH] qt: CVE-2023-32763 Fix Integer overflow
2023-06-14 14:20 ` Martin Jansa
@ 2023-06-15 3:29 ` Hitendra Prajapati
0 siblings, 0 replies; 3+ messages in thread
From: Hitendra Prajapati @ 2023-06-15 3:29 UTC (permalink / raw)
To: Martin Jansa; +Cc: openembedded-devel
[-- Attachment #1: Type: text/plain, Size: 231 bytes --]
Hi,
It is not included in the 5.15.9 release used in mickledore.
I'll try to work on that branch .
On 14/06/23 19:50, Martin Jansa wrote:
> 5.15.9 release used in mickledor
--
Regards,
Hitendra Prajapati
MontaVista Software LLC
[-- Attachment #2: Type: text/html, Size: 687 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-06-15 3:29 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-14 11:38 [meta-qt5][kirkstone][PATCH] qt: CVE-2023-32763 Fix Integer overflow Hitendra Prajapati
2023-06-14 14:20 ` Martin Jansa
2023-06-15 3:29 ` Hitendra Prajapati
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.