Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libqt5-qtsvg for openSUSE:Factory checked in at 2021-04-19 21:05:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libqt5-qtsvg (Old) and /work/SRC/openSUSE:Factory/.libqt5-qtsvg.new.12324 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libqt5-qtsvg" Mon Apr 19 21:05:43 2021 rev:46 rq:885977 version:5.15.2 Changes: -------- --- /work/SRC/openSUSE:Factory/libqt5-qtsvg/libqt5-qtsvg.changes 2020-11-25 19:29:38.982512795 +0100 +++ /work/SRC/openSUSE:Factory/.libqt5-qtsvg.new.12324/libqt5-qtsvg.changes 2021-04-19 21:05:55.888023265 +0200 @@ -1,0 +2,11 @@ +Fri Apr 16 09:37:36 UTC 2021 - Fabian Vogt <fv...@suse.com> + +- Add commits from kde's 5.15 branch: + * 0001-Improve-handling-of-malformed-numeric-values-in-svg-.patch + * 0002-Clamp-parsed-doubles-to-float-representable-values.patch + (bsc#1184783, QTBUG-91507, CVE-2021-3481) + * 0003-Avoid-buffer-overflow-in-isSupportedSvgFeature.patch + * 0004-Make-image-handler-accept-UTF-16-UTF-32-encoded-SVGs.patch + (QTBUG-90744) + +------------------------------------------------------------------- New: ---- 0001-Improve-handling-of-malformed-numeric-values-in-svg-.patch 0002-Clamp-parsed-doubles-to-float-representable-values.patch 0003-Avoid-buffer-overflow-in-isSupportedSvgFeature.patch 0004-Make-image-handler-accept-UTF-16-UTF-32-encoded-SVGs.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libqt5-qtsvg.spec ++++++ --- /var/tmp/diff_new_pack.jIrwNG/_old 2021-04-19 21:05:56.412024051 +0200 +++ /var/tmp/diff_new_pack.jIrwNG/_new 2021-04-19 21:05:56.416024057 +0200 @@ -31,6 +31,11 @@ URL: https://www.qt.io Source: https://download.qt.io/official_releases/qt/5.15/%{real_version}/submodules/%{tar_version}.tar.xz Source1: baselibs.conf +# PATCH-FIX-UPSTREAM +Patch1: 0001-Improve-handling-of-malformed-numeric-values-in-svg-.patch +Patch2: 0002-Clamp-parsed-doubles-to-float-representable-values.patch +Patch3: 0003-Avoid-buffer-overflow-in-isSupportedSvgFeature.patch +Patch4: 0004-Make-image-handler-accept-UTF-16-UTF-32-encoded-SVGs.patch BuildRequires: libQt5Core-private-headers-devel >= %{version} BuildRequires: libQt5Gui-private-headers-devel >= %{version} BuildRequires: libQt5Widgets-private-headers-devel >= %{version} @@ -42,13 +47,15 @@ BuildRequires: pkgconfig BuildRequires: xz BuildRequires: pkgconfig(zlib) +# Use git to apply the patches, Patch4 contains binary diffs +BuildRequires: git-core %description The Qt SVG module provides functionality for displaying SVG images as a widget, and to create SVG files using drawing commands. %prep -%autosetup -p1 -n %{tar_version} +%autosetup -p1 -S git -n %{tar_version} %package -n %{libname} Summary: Qt 5 SVG Library ++++++ 0001-Improve-handling-of-malformed-numeric-values-in-svg-.patch ++++++ >From aceea78cc05ac8ff947cee9de8149b48771781a8 Mon Sep 17 00:00:00 2001 From: Eirik Aavitsland <eirik.aavitsl...@qt.io> Date: Tue, 1 Dec 2020 14:39:59 +0100 Subject: [PATCH 1/4] Improve handling of malformed numeric values in svg files Catch cases where the input is not containable in a qreal, and avoid passing on inf values. Change-Id: I1ab8932d94473916815385240c29e03afb0e0c9e Reviewed-by: Robert Loehning <robert.loehn...@qt.io> Reviewed-by: Allan Sandfeld Jensen <allan.jen...@qt.io> (cherry picked from commit 428d56da9d5ed9bda51f7cc3c144996fb3a6a285) Reviewed-by: Qt Cherry-pick Bot <cherrypick_...@qt-project.org> --- src/svg/qsvghandler.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp index c937254..b3d9aaf 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp @@ -65,6 +65,7 @@ #include "private/qmath_p.h" #include "float.h" +#include <cmath> QT_BEGIN_NAMESPACE @@ -672,6 +673,8 @@ static qreal toDouble(const QChar *&str) val = -val; } else { val = QByteArray::fromRawData(temp, pos).toDouble(); + if (qFpClassify(val) != FP_NORMAL) + val = 0; } return val; -- 2.25.1 ++++++ 0002-Clamp-parsed-doubles-to-float-representable-values.patch ++++++ >From 95990cbeebc0ab9959e2a925a93ad4897416bbb7 Mon Sep 17 00:00:00 2001 From: Allan Sandfeld Jensen <allan.jen...@qt.io> Date: Thu, 4 Mar 2021 14:28:48 +0100 Subject: [PATCH 2/4] Clamp parsed doubles to float representable values MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Parts of our rendering assumes incoming doubles can still be sane floats. Fixes: QTBUG-91507 Change-Id: I7086a121e1b5ed47695a1251ea90e774dd8f148d Reviewed-by: Robert L??hning <robert.loehn...@qt.io> Reviewed-by: Allan Sandfeld Jensen <allan.jen...@qt.io> Reviewed-by: M??rten Nordheim <marten.nordh...@qt.io> (cherry picked from commit bfd6ee0d8cf34b63d32adf10ed93daa0086b359f) Reviewed-by: Qt Cherry-pick Bot <cherrypick_...@qt-project.org> --- src/svg/qsvghandler.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp index b3d9aaf..9dac05c 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp @@ -673,7 +673,8 @@ static qreal toDouble(const QChar *&str) val = -val; } else { val = QByteArray::fromRawData(temp, pos).toDouble(); - if (qFpClassify(val) != FP_NORMAL) + // Do not tolerate values too wild to be represented normally by floats + if (qFpClassify(float(val)) != FP_NORMAL) val = 0; } return val; @@ -3046,6 +3047,8 @@ static QSvgStyleProperty *createRadialGradientNode(QSvgNode *node, ncy = toDouble(cy); if (!r.isEmpty()) nr = toDouble(r); + if (nr < 0.5) + nr = 0.5; qreal nfx = ncx; if (!fx.isEmpty()) -- 2.25.1 ++++++ 0003-Avoid-buffer-overflow-in-isSupportedSvgFeature.patch ++++++ >From 1c2072ad16e0097c15df701dc22f07bf481fc4ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20L=C3=B6hning?= <robert.loehn...@qt.io> Date: Wed, 17 Feb 2021 19:20:42 +0100 Subject: [PATCH 3/4] Avoid buffer overflow in isSupportedSvgFeature Fixes oss-fuzz issue 29873. Pick-to: 6.0 6.1 Change-Id: I382683aa2d7d3cf2d05a0b8c41ebf21d032fbd7c Reviewed-by: Eirik Aavitsland <eirik.aavitsl...@qt.io> (cherry picked from commit afde7ca3a40f524e40052df696f74190452b22cb) --- src/svg/qsvgstructure.cpp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/svg/qsvgstructure.cpp b/src/svg/qsvgstructure.cpp index b89608b..89c9e4e 100644 --- a/src/svg/qsvgstructure.cpp +++ b/src/svg/qsvgstructure.cpp @@ -255,9 +255,13 @@ inline static bool isSupportedSvgFeature(const QString &str) }; if (str.length() <= MAX_WORD_LENGTH && str.length() >= MIN_WORD_LENGTH) { + const char16_t unicode44 = str.at(44).unicode(); + const char16_t unicode45 = str.at(45).unicode(); + if (unicode44 >= sizeof(asso_values) || unicode45 >= sizeof(asso_values)) + return false; const int key = str.length() - + asso_values[str.at(45).unicode()] - + asso_values[str.at(44).unicode()]; + + asso_values[unicode45] + + asso_values[unicode44]; if (key <= MAX_HASH_VALUE && key >= 0) return str == QLatin1String(wordlist[key]); } -- 2.25.1 ++++++ 0004-Make-image-handler-accept-UTF-16-UTF-32-encoded-SVGs.patch ++++++ >From cfc616978b52a396b2ef6900546f7fc086d7cab3 Mon Sep 17 00:00:00 2001 From: Eirik Aavitsland <eirik.aavitsl...@qt.io> Date: Thu, 8 Apr 2021 13:19:52 +0200 Subject: [PATCH 4/4] Make image handler accept UTF-16/UTF-32 encoded SVGs The canRead() header checks assumed 8 bit encoding. Pick-to: 6.1 6.0 5.15 Fixes: QTBUG-90744 Change-Id: Ibe934fe9ed31b89ee0fbfc4562aa66ab1b359225 Reviewed-by: Allan Sandfeld Jensen <allan.jen...@qt.io> (cherry picked from commit 45fb1f07eaa984af40fca9f12b8f3d27f7b0e9ac) --- .../imageformats/svg/qsvgiohandler.cpp | 37 +++++++++++------- tests/auto/qsvgplugin/simple_Utf16BE.svg | Bin 0 -> 228 bytes tests/auto/qsvgplugin/simple_Utf16LE.svg | Bin 0 -> 228 bytes tests/auto/qsvgplugin/simple_Utf32BE.svg | Bin 0 -> 456 bytes tests/auto/qsvgplugin/simple_Utf32LE.svg | Bin 0 -> 456 bytes tests/auto/qsvgplugin/simple_Utf8.svg | 3 ++ tests/auto/qsvgplugin/tst_qsvgplugin.cpp | 32 +++++++++++++++ 7 files changed, 57 insertions(+), 15 deletions(-) create mode 100644 tests/auto/qsvgplugin/simple_Utf16BE.svg create mode 100644 tests/auto/qsvgplugin/simple_Utf16LE.svg create mode 100644 tests/auto/qsvgplugin/simple_Utf32BE.svg create mode 100644 tests/auto/qsvgplugin/simple_Utf32LE.svg create mode 100644 tests/auto/qsvgplugin/simple_Utf8.svg diff --git a/src/plugins/imageformats/svg/qsvgiohandler.cpp b/src/plugins/imageformats/svg/qsvgiohandler.cpp index bd39b2a..4136aaf 100644 --- a/src/plugins/imageformats/svg/qsvgiohandler.cpp +++ b/src/plugins/imageformats/svg/qsvgiohandler.cpp @@ -118,6 +118,24 @@ QSvgIOHandler::~QSvgIOHandler() delete d; } +static bool isPossiblySvg(QIODevice *device, bool *isCompressed = nullptr) +{ + constexpr int bufSize = 64; + char buf[bufSize]; + const qint64 readLen = device->peek(buf, bufSize); + if (readLen < 8) + return false; +# ifndef QT_NO_COMPRESS + if (quint8(buf[0]) == 0x1f && quint8(buf[1]) == 0x8b) { + if (isCompressed) + *isCompressed = true; + return true; + } +# endif + QTextStream str(QByteArray::fromRawData(buf, readLen)); + QByteArray ba = str.read(16).trimmed().toLatin1(); + return ba.startsWith("<?xml") || ba.startsWith("<svg") || ba.startsWith("<!--") || ba.startsWith("<!DOCTYPE svg"); +} bool QSvgIOHandler::canRead() const { @@ -126,15 +144,9 @@ bool QSvgIOHandler::canRead() const if (d->loaded && !d->readDone) return true; // Will happen if we have been asked for the size - QByteArray buf = device()->peek(16); -#ifndef QT_NO_COMPRESS - if (buf.startsWith("\x1f\x8b")) { - setFormat("svgz"); - return true; - } else -#endif - if (buf.contains("<?xml") || buf.contains("<svg") || buf.contains("<!--") || buf.contains("<!DOCTYPE svg")) { - setFormat("svg"); + bool isCompressed = false; + if (isPossiblySvg(device(), &isCompressed)) { + setFormat(isCompressed ? "svgz" : "svg"); return true; } return false; @@ -260,12 +272,7 @@ bool QSvgIOHandler::supportsOption(ImageOption option) const bool QSvgIOHandler::canRead(QIODevice *device) { - QByteArray buf = device->peek(16); - return -#ifndef QT_NO_COMPRESS - buf.startsWith("\x1f\x8b") || -#endif - buf.contains("<?xml") || buf.contains("<svg") || buf.contains("<!--") || buf.contains("<!DOCTYPE svg"); + return isPossiblySvg(device); } QT_END_NAMESPACE diff --git a/tests/auto/qsvgplugin/simple_Utf16BE.svg b/tests/auto/qsvgplugin/simple_Utf16BE.svg new file mode 100644 index 0000000000000000000000000000000000000000..c3312cb2a98dc3a2a7f42100720a94ee913ab641 GIT binary patch literal 228 zcmY+8!3x4a3`F1AuUP86TPwXt^=FD(h1JSdZ2kG_Y$$>ZBuq%=W%<xD@}kG7o=I|7 z2JRdw*illcJ7#V~O-GwwcuEfrcxf_~s(bAZ%IGz%b(!VY{DKo3B{>m0F_LN&(W%dt i+N`XO_n%MZY8v|_=r&6EzpW7h!FvAF8>RhG#ry&V93m0` literal 0 HcmV?d00001 diff --git a/tests/auto/qsvgplugin/simple_Utf16LE.svg b/tests/auto/qsvgplugin/simple_Utf16LE.svg new file mode 100644 index 0000000000000000000000000000000000000000..cdbeda92a5145faf70fcc8dcdf034141a66f59cf GIT binary patch literal 228 zcmY+8!3x4a3`F1AuUP86tCe14^=FD(h1JSdZ2ft4HWWby5+)?`@_7eFp7c1?6It%U zz>NbHTWU7yj+rY-)6wQ<9@3pXUYbm`>Q4KEGI~uLT^9Kzzv9SBNsd4#MpjKCI`!F7 h+lAHf`t#XbLu;Qz-6pC0w>Cl~S}%Wkql6!|Fux@+A`$=q literal 0 HcmV?d00001 diff --git a/tests/auto/qsvgplugin/simple_Utf32BE.svg b/tests/auto/qsvgplugin/simple_Utf32BE.svg new file mode 100644 index 0000000000000000000000000000000000000000..0d5d02c1ba98a60908ca852692bf5f1124d4b64b GIT binary patch literal 456 zcmaKnNeV(i3<Z1bDT3}DaU<$w#0i{Gak#u%B^~&<a8V@Pncgeq^)97M;Q}{UL)3gp zJcG3@9N_>nXu|-y(68?xK41?!u-Dn_-;iG`C*lNpl{+zUr}+rXy{itj**^qtCjK?` zt8ES~h>9K;pbvMMt5J^uzSW*u$K*|4)}Mds?#x;BIj@d@6?oTsl6@WW^k9$VJ7@Kl LUi9$m^;`P@=Ncjs literal 0 HcmV?d00001 diff --git a/tests/auto/qsvgplugin/simple_Utf32LE.svg b/tests/auto/qsvgplugin/simple_Utf32LE.svg new file mode 100644 index 0000000000000000000000000000000000000000..58a71596656a79d9540b6bbef92e6b40aec46871 GIT binary patch literal 456 zcmaKnNeV(i3<b0H6pij3aU=RKBTnFiio@mAD(Jw+g^MET&h*~r9WjrHE8JlNrRFQ* z1+4Ah1V>mv7e>&BVSN|k6ArKkd!5bxE%~i-CeC0`c@PtKnoq#oyXsJz{bTTE;$K_8 z+8XFUspxSD`f!)I8ueJfx7t(dl)UZB`s+{KojI#M=habQ4c_&hWM7XwJ=i1p&RM;s K7d`xX&Ds}BU?LI# literal 0 HcmV?d00001 diff --git a/tests/auto/qsvgplugin/simple_Utf8.svg b/tests/auto/qsvgplugin/simple_Utf8.svg new file mode 100644 index 0000000..2052c48 --- /dev/null +++ b/tests/auto/qsvgplugin/simple_Utf8.svg @@ -0,0 +1,3 @@ +???<svg version="1.0" xmlns="http://www.w3.org/2000/svg";> + <circle cx="50" cy="50" r="25" fill="#00ff00" /> +</svg> diff --git a/tests/auto/qsvgplugin/tst_qsvgplugin.cpp b/tests/auto/qsvgplugin/tst_qsvgplugin.cpp index e1f84f3..73bbe8b 100644 --- a/tests/auto/qsvgplugin/tst_qsvgplugin.cpp +++ b/tests/auto/qsvgplugin/tst_qsvgplugin.cpp @@ -61,6 +61,8 @@ private slots: void checkSize_data(); void checkSize(); void checkImageInclude(); + void encodings_data(); + void encodings(); }; @@ -145,6 +147,36 @@ void tst_QSvgPlugin::checkImageInclude() logMessages.clear(); } +void tst_QSvgPlugin::encodings_data() +{ + QTest::addColumn<QString>("filename"); + + QTest::newRow("utf-8") << QFINDTESTDATA("simple_Utf8.svg"); + QTest::newRow("utf-16LE") << QFINDTESTDATA("simple_Utf16LE.svg"); + QTest::newRow("utf-16BE") << QFINDTESTDATA("simple_Utf16BE.svg"); + QTest::newRow("utf-32LE") << QFINDTESTDATA("simple_Utf32LE.svg"); + QTest::newRow("utf-32BE") << QFINDTESTDATA("simple_Utf32BE.svg"); +} + +void tst_QSvgPlugin::encodings() +{ + QFETCH(QString, filename); + + { + QFile file(filename); + file.open(QIODevice::ReadOnly); + QVERIFY(QSvgIOHandler::canRead(&file)); + } + + QFile file(filename); + file.open(QIODevice::ReadOnly); + QSvgIOHandler plugin; + plugin.setDevice(&file); + QVERIFY(plugin.canRead()); + QImage img; + QVERIFY(plugin.read(&img)); + QCOMPARE(img.size(), QSize(50, 50)); +} QTEST_MAIN(tst_QSvgPlugin) #include "tst_qsvgplugin.moc" -- 2.25.1
