Date: Friday, April 25, 2014 @ 13:10:40 Author: andrea Revision: 211741
upgpkg: qt4 4.8.6-1 Upstream release Added: qt4/trunk/CVE-2014-0190.patch Modified: qt4/trunk/PKGBUILD Deleted: qt4/trunk/CVE-2013-4549.patch qt4/trunk/libmng2.patch qt4/trunk/qtbug-31579.patch qt4/trunk/qtbug-32534.patch qt4/trunk/qtbug-32908.patch ---------------------+ CVE-2013-4549.patch | 233 -------------------------------------------------- CVE-2014-0190.patch | 32 ++++++ PKGBUILD | 28 +----- libmng2.patch | 35 ------- qtbug-31579.patch | 146 ------------------------------- qtbug-32534.patch | 40 -------- qtbug-32908.patch | 40 -------- 7 files changed, 39 insertions(+), 515 deletions(-) Deleted: CVE-2013-4549.patch =================================================================== --- CVE-2013-4549.patch 2014-04-25 07:55:53 UTC (rev 211740) +++ CVE-2013-4549.patch 2014-04-25 11:10:40 UTC (rev 211741) @@ -1,233 +0,0 @@ -From 512a1ce0698d370c313bb561bbf078935fa0342e Mon Sep 17 00:00:00 2001 -From: Mitch Curtis <[email protected]> -Date: Thu, 7 Nov 2013 09:36:29 +0100 -Subject: [PATCH] Disallow deep or widely nested entity references. - -Nested references with a depth of 2 or greater will fail. References -that partially expand to greater than 1024 characters will also fail. - -This is a backport of 46a8885ae486e238a39efa5119c2714f328b08e4. - -Change-Id: I0c2e1fa13d6ccb5f88641dae2ed3f28bfdeaf609 -Reviewed-by: Richard J. Moore <[email protected]> -Reviewed-by: Lars Knoll <[email protected]> - -From cecceb0cdd87482124a73ecf537f3445d68be13e Mon Sep 17 00:00:00 2001 -From: Mitch Curtis <[email protected]> -Date: Tue, 12 Nov 2013 13:44:56 +0100 -Subject: [PATCH] Fully expand entities to ensure deep or widely nested ones fail parsing - -With 512a1ce0698d370c313bb561bbf078935fa0342e, we failed when parsing -entities whose partially expanded size was greater than 1024 -characters. That was not enough, so now we fully expand all entities. - -This is a backport of f1053d94f59f053ce4acad9320df14f1fbe4faac. - -Change-Id: I41dd6f4525c63e82fd320a22d19248169627f7e0 -Reviewed-by: Richard J. Moore <[email protected]> - -diff --git a/src/xml/sax/qxml.cpp b/src/xml/sax/qxml.cpp -index a1777c5..3904632 100644 ---- a/src/xml/sax/qxml.cpp -+++ b/src/xml/sax/qxml.cpp -@@ -424,6 +424,10 @@ private: - int stringValueLen; - QString emptyStr; - -+ // The limit to the amount of times the DTD parsing functions can be called -+ // for the DTD currently being parsed. -+ int dtdRecursionLimit; -+ - const QString &string(); - void stringClear(); - void stringAddC(QChar); -@@ -492,6 +496,7 @@ private: - void unexpectedEof(ParseFunction where, int state); - void parseFailed(ParseFunction where, int state); - void pushParseState(ParseFunction function, int state); -+ bool isPartiallyExpandedEntityValueTooLarge(QString *errorMessage); - - Q_DECLARE_PUBLIC(QXmlSimpleReader) - QXmlSimpleReader *q_ptr; -@@ -2759,6 +2764,7 @@ QXmlSimpleReaderPrivate::QXmlSimpleReaderPrivate(QXmlSimpleReader *reader) - useNamespacePrefixes = false; - reportWhitespaceCharData = true; - reportEntities = false; -+ dtdRecursionLimit = 2; - } - - QXmlSimpleReaderPrivate::~QXmlSimpleReaderPrivate() -@@ -5018,6 +5024,11 @@ bool QXmlSimpleReaderPrivate::parseDoctype() - } - break; - case Mup: -+ if (dtdRecursionLimit > 0 && parameterEntities.size() > dtdRecursionLimit) { -+ reportParseError(QString::fromLatin1( -+ "DTD parsing exceeded recursion limit of %1.").arg(dtdRecursionLimit)); -+ return false; -+ } - if (!parseMarkupdecl()) { - parseFailed(&QXmlSimpleReaderPrivate::parseDoctype, state); - return false; -@@ -6627,6 +6638,37 @@ bool QXmlSimpleReaderPrivate::parseChoiceSeq() - return false; - } - -+bool QXmlSimpleReaderPrivate::isPartiallyExpandedEntityValueTooLarge(QString *errorMessage) -+{ -+ const QString value = string(); -+ QMap<QString, int> referencedEntityCounts; -+ foreach (QString entityName, entities.keys()) { -+ for (int i = 0; i < value.size() && i != -1; ) { -+ i = value.indexOf(entityName, i); -+ if (i != -1) { -+ // The entityName we're currently trying to find -+ // was matched in this string; increase our count. -+ ++referencedEntityCounts[entityName]; -+ i += entityName.size(); -+ } -+ } -+ } -+ -+ foreach (QString entityName, referencedEntityCounts.keys()) { -+ const int timesReferenced = referencedEntityCounts[entityName]; -+ const QString entityValue = entities[entityName]; -+ if (entityValue.size() * timesReferenced > 1024) { -+ if (errorMessage) { -+ *errorMessage = QString::fromLatin1("The XML entity \"%1\"" -+ "expands too a string that is too large to process when " -+ "referencing \"%2\" %3 times.").arg(entityName).arg(entityName).arg(timesReferenced); -+ } -+ return true; -+ } -+ } -+ return false; -+} -+ - /* - Parse a EntityDecl [70]. - -@@ -6721,6 +6763,15 @@ bool QXmlSimpleReaderPrivate::parseEntityDecl() - switch (state) { - case EValue: - if ( !entityExist(name())) { -+ QString errorMessage; -+ if (isPartiallyExpandedEntityValueTooLarge(&errorMessage)) { -+ // The entity at entityName is entityValue.size() characters -+ // long in its unexpanded form, and was mentioned timesReferenced times, -+ // resulting in a string that would be greater than 1024 characters. -+ reportParseError(errorMessage); -+ return false; -+ } -+ - entities.insert(name(), string()); - if (declHnd) { - if (!declHnd->internalEntityDecl(name(), string())) { -diff --git a/src/xml/sax/qxml.cpp b/src/xml/sax/qxml.cpp -index 3904632..befa801 100644 ---- a/src/xml/sax/qxml.cpp -+++ b/src/xml/sax/qxml.cpp -@@ -426,7 +426,9 @@ private: - - // The limit to the amount of times the DTD parsing functions can be called - // for the DTD currently being parsed. -- int dtdRecursionLimit; -+ static const int dtdRecursionLimit = 2; -+ // The maximum amount of characters an entity value may contain, after expansion. -+ static const int entityCharacterLimit = 1024; - - const QString &string(); - void stringClear(); -@@ -496,7 +498,7 @@ private: - void unexpectedEof(ParseFunction where, int state); - void parseFailed(ParseFunction where, int state); - void pushParseState(ParseFunction function, int state); -- bool isPartiallyExpandedEntityValueTooLarge(QString *errorMessage); -+ bool isExpandedEntityValueTooLarge(QString *errorMessage); - - Q_DECLARE_PUBLIC(QXmlSimpleReader) - QXmlSimpleReader *q_ptr; -@@ -2764,7 +2766,6 @@ QXmlSimpleReaderPrivate::QXmlSimpleReaderPrivate(QXmlSimpleReader *reader) - useNamespacePrefixes = false; - reportWhitespaceCharData = true; - reportEntities = false; -- dtdRecursionLimit = 2; - } - - QXmlSimpleReaderPrivate::~QXmlSimpleReaderPrivate() -@@ -6638,30 +6639,43 @@ bool QXmlSimpleReaderPrivate::parseChoiceSeq() - return false; - } - --bool QXmlSimpleReaderPrivate::isPartiallyExpandedEntityValueTooLarge(QString *errorMessage) -+bool QXmlSimpleReaderPrivate::isExpandedEntityValueTooLarge(QString *errorMessage) - { -- const QString value = string(); -- QMap<QString, int> referencedEntityCounts; -- foreach (QString entityName, entities.keys()) { -- for (int i = 0; i < value.size() && i != -1; ) { -- i = value.indexOf(entityName, i); -- if (i != -1) { -- // The entityName we're currently trying to find -- // was matched in this string; increase our count. -- ++referencedEntityCounts[entityName]; -- i += entityName.size(); -+ QMap<QString, int> literalEntitySizes; -+ // The entity at (QMap<QString,) referenced the entities at (QMap<QString,) (int>) times. -+ QMap<QString, QMap<QString, int> > referencesToOtherEntities; -+ QMap<QString, int> expandedSizes; -+ -+ // For every entity, check how many times all entity names were referenced in its value. -+ foreach (QString toSearch, entities.keys()) { -+ // The amount of characters that weren't entity names, but literals, like 'X'. -+ QString leftOvers = entities.value(toSearch); -+ // How many times was entityName referenced by toSearch? -+ foreach (QString entityName, entities.keys()) { -+ for (int i = 0; i < leftOvers.size() && i != -1; ) { -+ i = leftOvers.indexOf(QString::fromLatin1("&%1;").arg(entityName), i); -+ if (i != -1) { -+ leftOvers.remove(i, entityName.size() + 2); -+ // The entityName we're currently trying to find was matched in this string; increase our count. -+ ++referencesToOtherEntities[toSearch][entityName]; -+ } - } - } -+ literalEntitySizes[toSearch] = leftOvers.size(); - } - -- foreach (QString entityName, referencedEntityCounts.keys()) { -- const int timesReferenced = referencedEntityCounts[entityName]; -- const QString entityValue = entities[entityName]; -- if (entityValue.size() * timesReferenced > 1024) { -+ foreach (QString entity, referencesToOtherEntities.keys()) { -+ expandedSizes[entity] = literalEntitySizes[entity]; -+ foreach (QString referenceTo, referencesToOtherEntities.value(entity).keys()) { -+ const int references = referencesToOtherEntities.value(entity).value(referenceTo); -+ // The total size of an entity's value is the expanded size of all of its referenced entities, plus its literal size. -+ expandedSizes[entity] += expandedSizes[referenceTo] * references + literalEntitySizes[referenceTo] * references; -+ } -+ -+ if (expandedSizes[entity] > entityCharacterLimit) { - if (errorMessage) { -- *errorMessage = QString::fromLatin1("The XML entity \"%1\"" -- "expands too a string that is too large to process when " -- "referencing \"%2\" %3 times.").arg(entityName).arg(entityName).arg(timesReferenced); -+ *errorMessage = QString::fromLatin1("The XML entity \"%1\" expands too a string that is too large to process (%2 characters > %3)."); -+ *errorMessage = (*errorMessage).arg(entity).arg(expandedSizes[entity]).arg(entityCharacterLimit); - } - return true; - } -@@ -6764,10 +6778,7 @@ bool QXmlSimpleReaderPrivate::parseEntityDecl() - case EValue: - if ( !entityExist(name())) { - QString errorMessage; -- if (isPartiallyExpandedEntityValueTooLarge(&errorMessage)) { -- // The entity at entityName is entityValue.size() characters -- // long in its unexpanded form, and was mentioned timesReferenced times, -- // resulting in a string that would be greater than 1024 characters. -+ if (isExpandedEntityValueTooLarge(&errorMessage)) { - reportParseError(errorMessage); - return false; - } --- -1.7.1 Added: CVE-2014-0190.patch =================================================================== --- CVE-2014-0190.patch (rev 0) +++ CVE-2014-0190.patch 2014-04-25 11:10:40 UTC (rev 211741) @@ -0,0 +1,32 @@ +Don't crash on broken GIF images + +Broken GIF images could set invalid width and height +values inside the image, leading to Qt creating a null +QImage for it. In that case we need to abort decoding +the image and return an error. + +Initial patch by Rich Moore. + +Backport of Id82a4036f478bd6e49c402d6598f57e7e5bb5e1e from Qt 5 + +Task-number: QTBUG-38367 +Change-Id: I0680740018aaa8356d267b7af3f01fac3697312a +Security-advisory: CVE-2014-0190 + +diff -up qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp.QTBUG-38367 qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp +--- qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp.QTBUG-38367 2014-04-10 13:37:12.000000000 -0500 ++++ qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp 2014-04-24 15:58:54.515862458 -0500 +@@ -359,6 +359,13 @@ int QGIFFormat::decode(QImage *image, co + memset(bits, 0, image->byteCount()); + } + ++ // Check if the previous attempt to create the image failed. If it ++ // did then the image is broken and we should give up. ++ if (image->isNull()) { ++ state = Error; ++ return -1; ++ } ++ + disposePrevious(image); + disposed = false; + Modified: PKGBUILD =================================================================== --- PKGBUILD 2014-04-25 07:55:53 UTC (rev 211740) +++ PKGBUILD 2014-04-25 11:10:40 UTC (rev 211741) @@ -3,8 +3,8 @@ # Contributor: Pierre Schmitz <[email protected]> pkgname=qt4 -pkgver=4.8.5 -pkgrel=9 +pkgver=4.8.6 +pkgrel=1 arch=('i686' 'x86_64') url='http://qt-project.org/' license=('GPL3' 'LGPL' 'FDL' 'custom') @@ -32,9 +32,8 @@ 'qtconfig-qt4.desktop' 'assistant-qt4.desktop' 'designer-qt4.desktop' 'linguist-qt4.desktop' 'qdbusviewer-qt4.desktop' 'improve-cups-support.patch' - 'qtbug-31579.patch' 'qtbug-32534.patch' 'qtbug-32908.patch' - 'libmng2.patch' 'CVE-2013-4549.patch') -md5sums=('1864987bdbb2f58f8ae8b350dfdbe133' + 'CVE-2014-0190.patch') +md5sums=('2edbe4d6c2eff33ef91732602f3518eb' 'a16638f4781e56e7887ff8212a322ecc' '8a28b3f52dbeb685d4b69440b520a3e1' '9727c406c240990870c905696a8c5bd1' @@ -41,11 +40,7 @@ '0e384663d3dd32abe35f5331c4147569' 'b859c5673e5098c39f72b2252947049e' 'c439c7731c25387352d8453ca7574971' - '6ed8d26a8e4a9bba1f6c08fb99cc8357' - 'bb0e0fa6ba953fa590d81ac612374e11' - 'db343dcae522bc90d802ad1e83b7f5dd' - '0ba4ffc9ff1acb9bf8a5f592ba956d48' - '8701bd7445426c1ad5da3ddbd72df6b4') + '34ed257109afb83342cfe514c8abe027') prepare() { cd ${_pkgfqn} @@ -53,18 +48,9 @@ # (FS#28381) (KDEBUG#180051) patch -p1 -i "${srcdir}"/improve-cups-support.patch - # (FS#36028) (QTBUG#31579) - patch -p1 -i "${srcdir}"/qtbug-31579.patch - # (FS#36394) (QTBUG#32534) - patch -p1 -i "${srcdir}"/qtbug-32534.patch - # (FS#36947) (QTBUG#32908) - patch -p1 -i "${srcdir}"/qtbug-32908.patch + # QTBUG#38367 + patch -p1 -i "${srcdir}"/CVE-2014-0190.patch - # (FS#38081) - patch -p1 -i "${srcdir}"/CVE-2013-4549.patch - # (QTBUG#34894) - patch -p1 -i "${srcdir}"/libmng2.patch - sed -i "s|-O2|${CXXFLAGS}|" mkspecs/common/{g++,gcc}-base.conf sed -i "/^QMAKE_LFLAGS_RPATH/s| -Wl,-rpath,||g" mkspecs/common/gcc-base-unix.conf sed -i "/^QMAKE_LFLAGS\s/s|+=|+= ${LDFLAGS}|g" mkspecs/common/gcc-base.conf Deleted: libmng2.patch =================================================================== --- libmng2.patch 2014-04-25 07:55:53 UTC (rev 211740) +++ libmng2.patch 2014-04-25 11:10:40 UTC (rev 211741) @@ -1,35 +0,0 @@ -From 515617e55be9a7bfa738a9c32ef8b19065de37d4 Mon Sep 17 00:00:00 2001 -From: aavit <[email protected]> -Date: Fri, 22 Nov 2013 15:49:44 +0100 -Subject: [PATCH] Recognize newer libmng versions in config test - -libmng 2.0.x has been released and is compatible and usable, but since -it no longer provides a VERSION_MAJOR macro, the config test would fail. - -Task-number: QTBUG-34894 -Change-Id: I36f6ed9d69dbae88feb1b88ce099bf36c9283133 -Reviewed-by: Liang Qi <[email protected]> -(cherry picked from qtimageformats/9ae386653c321c8ddc10fad5ea88f32ebb3d3ffe) ---- - config.tests/unix/libmng/libmng.cpp | 2 ++ - 1 files changed, 2 insertions(+), 0 deletions(-) - -diff --git a/config.tests/unix/libmng/libmng.cpp b/config.tests/unix/libmng/libmng.cpp -index 0fbe554..9db10ff 100644 ---- a/config.tests/unix/libmng/libmng.cpp -+++ b/config.tests/unix/libmng/libmng.cpp -@@ -46,9 +46,11 @@ int main(int, char **) - mng_handle hMNG; - mng_cleanup(&hMNG); - -+#if defined(MNG_VERSION_MAJOR) - #if MNG_VERSION_MAJOR < 1 || (MNG_VERSION_MAJOR == 1 && MNG_VERSION_MINOR == 0 && MNG_VERSION_RELEASE < 9) - #error System libmng version is less than 1.0.9; using built-in version instead. - #endif -+#endif - - return 0; - } --- -1.7.1 - Deleted: qtbug-31579.patch =================================================================== --- qtbug-31579.patch 2014-04-25 07:55:53 UTC (rev 211740) +++ qtbug-31579.patch 2014-04-25 11:10:40 UTC (rev 211741) @@ -1,146 +0,0 @@ -From 2a6537f0629aaff53a42d993ad94ad4de3cd3030 Mon Sep 17 00:00:00 2001 -From: Gunnar Sletta <[email protected]> -Date: Thu, 4 Jul 2013 16:20:40 +1000 -Subject: [PATCH] Fix drawing of 0-width polylines from outside the devicerect. - -This was broken by a previous fix which aimed to fix gaps in -polylines with tiny line segments. The result was that we -skipped updating the origin point when stroke() didn't produce -pixels which accidentally included the case of the line -being completely outside the deviceRect. I fixed this -by returning the value of clipLine in drawLine to the caller -so we could still update the origin for this case. - -Task-number: QTBUG-31579 -Change-Id: Iac29436f042da7658bbeaf9370351dc6f2c95065 -(cherry picked from qtbase/900cccfd459fcbdbc4aa3d313afe12cfbf68fd87) -Reviewed-by: Gunnar Sletta <[email protected]> ---- - src/gui/painting/qcosmeticstroker.cpp | 42 ++++++++++++++++++++------------ - src/gui/painting/qcosmeticstroker_p.h | 2 +- - 2 files changed, 27 insertions(+), 17 deletions(-) - -diff --git a/src/gui/painting/qcosmeticstroker.cpp b/src/gui/painting/qcosmeticstroker.cpp -index 0061ecb..4413170 100644 ---- a/src/gui/painting/qcosmeticstroker.cpp -+++ b/src/gui/painting/qcosmeticstroker.cpp -@@ -133,10 +133,15 @@ struct NoDasher { - - }; - -+/* -+ * The return value is the result of the clipLine() call performed at the start -+ * of each of the two functions, aka "false" means completely outside the devices -+ * rect. -+ */ - template<DrawPixel drawPixel, class Dasher> --static void drawLine(QCosmeticStroker *stroker, qreal x1, qreal y1, qreal x2, qreal y2, int caps); -+static bool drawLine(QCosmeticStroker *stroker, qreal x1, qreal y1, qreal x2, qreal y2, int caps); - template<DrawPixel drawPixel, class Dasher> --static void drawLineAA(QCosmeticStroker *stroker, qreal x1, qreal y1, qreal x2, qreal y2, int caps); -+static bool drawLineAA(QCosmeticStroker *stroker, qreal x1, qreal y1, qreal x2, qreal y2, int caps); - - inline void drawPixel(QCosmeticStroker *stroker, int x, int y, int coverage) - { -@@ -602,17 +607,20 @@ void QCosmeticStroker::drawPath(const QVectorPath &path) - caps |= CapEnd; - - QCosmeticStroker::Point last = this->lastPixel; -- stroke(this, p.x(), p.y(), p2.x(), p2.y(), caps); -+ bool unclipped = stroke(this, p.x(), p.y(), p2.x(), p2.y(), caps); - - /* fix for gaps in polylines with fastpen and aliased in a sequence - of points with small distances: if current point p2 has been dropped -- out, keep last non dropped point p. */ -- if (fastPenAliased) { -- if (last.x != lastPixel.x || last.y != lastPixel.y || -- points == begin + 2 || points == end - 2 ) { -- { -- p = p2; -- } -+ out, keep last non dropped point p. -+ -+ However, if the line was completely outside the devicerect, we -+ still need to update p to avoid drawing the line after this one from -+ a bad starting position. -+ */ -+ if (fastPenAliased && unclipped) { -+ if (last.x != lastPixel.x || last.y != lastPixel.y -+ || points == begin + 2 || points == end - 2) { -+ p = p2; - } - } else { - p = p2; -@@ -720,10 +728,10 @@ static inline void capAdjust(int caps, int &x1, int &x2, int &y, int yinc) - the drawing shifts from horizontal to vertical or back. - */ - template<DrawPixel drawPixel, class Dasher> --static void drawLine(QCosmeticStroker *stroker, qreal rx1, qreal ry1, qreal rx2, qreal ry2, int caps) -+static bool drawLine(QCosmeticStroker *stroker, qreal rx1, qreal ry1, qreal rx2, qreal ry2, int caps) - { - if (stroker->clipLine(rx1, ry1, rx2, ry2)) -- return; -+ return false; - - static const int half = 31; - int x1 = toF26Dot6(rx1) + half; -@@ -813,7 +821,7 @@ static void drawLine(QCosmeticStroker *stroker, qreal rx1, qreal ry1, qreal rx2, - } else { - // horizontal - if (!dx) -- return; -+ return true; - - QCosmeticStroker::Direction dir = QCosmeticStroker::LeftToRight; - -@@ -886,14 +894,15 @@ static void drawLine(QCosmeticStroker *stroker, qreal rx1, qreal ry1, qreal rx2, - } - } - stroker->lastPixel = last; -+ return true; - } - - - template<DrawPixel drawPixel, class Dasher> --static void drawLineAA(QCosmeticStroker *stroker, qreal rx1, qreal ry1, qreal rx2, qreal ry2, int caps) -+static bool drawLineAA(QCosmeticStroker *stroker, qreal rx1, qreal ry1, qreal rx2, qreal ry2, int caps) - { - if (stroker->clipLine(rx1, ry1, rx2, ry2)) -- return; -+ return false; - - int x1 = toF26Dot6(rx1); - int y1 = toF26Dot6(ry1); -@@ -967,7 +976,7 @@ static void drawLineAA(QCosmeticStroker *stroker, qreal rx1, qreal ry1, qreal rx - } else { - // horizontal - if (!dx) -- return; -+ return true; - - int yinc = F16Dot16FixedDiv(dy, dx); - -@@ -1029,6 +1038,7 @@ static void drawLineAA(QCosmeticStroker *stroker, qreal rx1, qreal ry1, qreal rx - drawPixel(stroker, x, (y>>16) + 1, alpha * alphaEnd >> 6); - } - } -+ return true; - } - - QT_END_NAMESPACE -diff --git a/src/gui/painting/qcosmeticstroker_p.h b/src/gui/painting/qcosmeticstroker_p.h -index 870738b..3216856 100644 ---- a/src/gui/painting/qcosmeticstroker_p.h -+++ b/src/gui/painting/qcosmeticstroker_p.h -@@ -56,7 +56,7 @@ QT_MODULE(Gui) - class QCosmeticStroker; - - --typedef void (*StrokeLine)(QCosmeticStroker *stroker, qreal x1, qreal y1, qreal x2, qreal y2, int caps); -+typedef bool (*StrokeLine)(QCosmeticStroker *stroker, qreal x1, qreal y1, qreal x2, qreal y2, int caps); - - class QCosmeticStroker - { --- -1.7.1 - Deleted: qtbug-32534.patch =================================================================== --- qtbug-32534.patch 2014-04-25 07:55:53 UTC (rev 211740) +++ qtbug-32534.patch 2014-04-25 11:10:40 UTC (rev 211741) @@ -1,40 +0,0 @@ -From 1f40ed553e618c3b0511c7db4b4fd26c2d2b65bf Mon Sep 17 00:00:00 2001 -From: Peter Hartmann <[email protected]> -Date: Thu, 25 Jul 2013 12:05:29 -0400 -Subject: [PATCH] QHttpMultiPart: fix data corruption in readData method - -When readData() is called repeatedly, we need to keep track which -part of the multipart message we are currently reading from. -Hereby we also need to take the boundary size into account, and not -only the size of the multipart; otherwise we would skip a not -completely read part. This would then later lead to advancing the -read pointer by negative indexes and data loss. - -Task-number: QTBUG-32534 -Change-Id: Ibb6dff16adaf4ea67181d23d1d0c8459e33a0ed0 -Reviewed-by: Jonathan Liu <[email protected]> -Reviewed-by: Shane Kearns <[email protected]> -(cherry picked from qtbase/af96c6fed931564c95037539f07e9c8e33c69529) -Reviewed-by: Thiago Macieira <[email protected]> ---- - src/network/access/qhttpmultipart.cpp | 3 +- - tests/auto/qnetworkreply/tst_qnetworkreply.cpp | 44 ++++++++++++++++++++++++ - 2 files changed, 46 insertions(+), 1 deletions(-) - -diff --git a/src/network/access/qhttpmultipart.cpp b/src/network/access/qhttpmultipart.cpp -index 635129a..b25e917 100644 ---- a/src/network/access/qhttpmultipart.cpp -+++ b/src/network/access/qhttpmultipart.cpp -@@ -488,7 +488,8 @@ qint64 QHttpMultiPartIODevice::readData(char *data, qint64 maxSize) - - // skip the parts we have already read - while (index < multiPart->parts.count() && -- readPointer >= partOffsets.at(index) + multiPart->parts.at(index).d->size()) -+ readPointer >= partOffsets.at(index) + multiPart->parts.at(index).d->size() -+ + multiPart->boundary.count() + 6) // 6 == 2 boundary dashes, \r\n after boundary, \r\n after multipart - index++; - - // read the data --- -1.7.1 - Deleted: qtbug-32908.patch =================================================================== --- qtbug-32908.patch 2014-04-25 07:55:53 UTC (rev 211740) +++ qtbug-32908.patch 2014-04-25 11:10:40 UTC (rev 211741) @@ -1,40 +0,0 @@ -From 0c03af0d4d928bdbb32b09eedb1dba3ce59e5278 Mon Sep 17 00:00:00 2001 -From: Gatis Paeglis <[email protected]> -Date: Sat, 31 Aug 2013 21:22:47 +0200 -Subject: [PATCH] Revert "QTBUG-15319: fix shortcuts with secondary Xkb layout." - -The change which attempted to fix QTBUG-15319 broke keyboard -shortcuts for non latin keyboard layouts. - -This patch reverts QTBUG-15319 (f45cdeda8) since it caused a -regression. - -Task-number: QTBUG-32908 - -Change-Id: I47d7984fa7986d5218d1f3ff1fc36d2ec67c9ba7 -Reviewed-by: David Faure <[email protected]> ---- - src/gui/kernel/qkeymapper_x11.cpp | 5 +---- - 1 files changed, 1 insertions(+), 4 deletions(-) - -diff --git a/src/gui/kernel/qkeymapper_x11.cpp b/src/gui/kernel/qkeymapper_x11.cpp -index 005ff3f..7daa41d 100644 ---- a/src/gui/kernel/qkeymapper_x11.cpp -+++ b/src/gui/kernel/qkeymapper_x11.cpp -@@ -282,12 +282,9 @@ QList<int> QKeyMapperPrivate::possibleKeysXKB(QKeyEvent *event) - - // first, translate key only using lock modifiers (there are no Qt equivalents for these, so we must - // always use them when determining the baseKeySym) -- // Note: the Xkb group to be used for the conversion keycode->keysym has to be given to -- // XkbLookupKeySym(). This information is contained in the bits 8 to 15 of xmodifiers. -- // See https://bugreports.qt-project.org/browse/QTBUG-15319 . - KeySym baseKeySym; - uint consumedModifiers; -- if (!XkbLookupKeySym(X11->display, xkeycode, (xmodifiers & (0xff00 | LockMask | qt_num_lock_mask)), -+ if (!XkbLookupKeySym(X11->display, xkeycode, (xmodifiers & (LockMask | qt_num_lock_mask)), - &consumedModifiers, &baseKeySym)) - return QList<int>(); - --- -1.7.1 -
