[gentoo-commits] repo/gentoo:master commit in: dev-qt/qtcore/files/, dev-qt/qtcore/

Sat, 25 Jan 2020 15:57:26 -0800 

commit:     f0f2e0e6f77f988b30bcaeef18e2d4e28708f7b1
Author:     Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
AuthorDate: Sat Jan 25 23:29:54 2020 +0000
Commit:     Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
CommitDate: Sat Jan 25 23:56:18 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f0f2e0e6

dev-qt/qtcore: Fix CVE-2019-18281

Bug: https://bugs.gentoo.org/699226
Package-Manager: Portage-2.3.85, Repoman-2.3.20
Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org>

 .../files/qtcore-5.12.3-CVE-2019-18281.patch       | 98 ++++++++++++++++++++++
 dev-qt/qtcore/qtcore-5.12.3-r1.ebuild              | 86 +++++++++++++++++++
 2 files changed, 184 insertions(+)

diff --git a/dev-qt/qtcore/files/qtcore-5.12.3-CVE-2019-18281.patch 
b/dev-qt/qtcore/files/qtcore-5.12.3-CVE-2019-18281.patch
new file mode 100644
index 00000000000..055794b5196
--- /dev/null
+++ b/dev-qt/qtcore/files/qtcore-5.12.3-CVE-2019-18281.patch
@@ -0,0 +1,98 @@
+From 1232205e32464d90e871f39eb1e14fcf9b78a163 Mon Sep 17 00:00:00 2001
+From: Rainer Keller <[email protected]>
+Date: Tue, 27 Aug 2019 14:44:48 +0200
+Subject: [PATCH] Fix crash when text contains too many directional chars
+
+In case a text to be layouted contains more than 128 directional characters
+it causes the application to crash
+
+The function initScriptAnalysisAndIsolatePairs() collects information of
+RTL/LTR chaaracters into vector "isolatePairs". The size of the vector is
+capped to 128. Later the function generateDirectionalRuns() iterates
+the text again and tries to access items from the previously capped vector
+above the upper bound.
+
+Task-number: QTBUG-77819
+Change-Id: Ibb7bf12c12b1db22f43ff46236518da3fdeed26a
+Reviewed-by: Simon Hausmann <[email protected]>
+---
+ src/gui/text/qtextengine.cpp                        | 15 +++++++--------
+ tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp | 17 +++++++++++++++++
+ 2 files changed, 24 insertions(+), 8 deletions(-)
+
+diff --git a/src/gui/text/qtextengine.cpp b/src/gui/text/qtextengine.cpp
+index 2da13289bfd..a7834587b1e 100644
+--- a/src/gui/text/qtextengine.cpp
++++ b/src/gui/text/qtextengine.cpp
+@@ -399,6 +399,7 @@ struct QBidiAlgorithm {
+                         analysis[i].bidiDirection = (level & 1) ? QChar::DirR 
: QChar::DirL;
+                     runHasContent = true;
+                     lastRunWithContent = -1;
++                    ++isolatePairPosition;
+                 }
+                 int runBeforeIsolate = runs.size();
+                 ushort newLevel = isRtl ? ((stack.top().level + 1) | 1) : 
((stack.top().level + 2) & ~1);
+@@ -440,21 +441,19 @@ struct QBidiAlgorithm {
+                 doEmbed(true, true, false);
+                 break;
+             case QChar::DirLRI:
+-                Q_ASSERT(isolatePairs.at(isolatePairPosition).start == i);
+                 doEmbed(false, false, true);
+-                ++isolatePairPosition;
+                 break;
+             case QChar::DirRLI:
+-                Q_ASSERT(isolatePairs.at(isolatePairPosition).start == i);
+                 doEmbed(true, false, true);
+-                ++isolatePairPosition;
+                 break;
+             case QChar::DirFSI: {
+-                const auto &pair = isolatePairs.at(isolatePairPosition);
+-                Q_ASSERT(pair.start == i);
+-                bool isRtl = QStringView(text + pair.start + 1, pair.end - 
pair.start - 1).isRightToLeft();
++                bool isRtl = false;
++                if (isolatePairPosition < isolatePairs.size()) {
++                    const auto &pair = isolatePairs.at(isolatePairPosition);
++                    Q_ASSERT(pair.start == i);
++                    isRtl = QStringView(text + pair.start + 1, pair.end - 
pair.start - 1).isRightToLeft();
++                }
+                 doEmbed(isRtl, false, true);
+-                ++isolatePairPosition;
+                 break;
+             }
+ 
+diff --git a/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp 
b/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp
+index 9c477589f93..f0a32c2ed40 100644
+--- a/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp
++++ b/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp
+@@ -138,6 +138,7 @@ private slots:
+     void noModificationOfInputString();
+     void superscriptCrash_qtbug53911();
+     void showLineAndParagraphSeparatorsCrash();
++    void tooManyDirectionalCharctersCrash_qtbug77819();
+ 
+ private:
+     QFont testFont;
+@@ -2309,5 +2310,21 @@ void tst_QTextLayout::nbspWithFormat()
+     QCOMPARE(layout.lineAt(1).textLength(), s2.length() + 1 + s3.length());
+ }
+ 
++void tst_QTextLayout::tooManyDirectionalCharctersCrash_qtbug77819()
++{
++    QString data;
++    data += QString::fromUtf8("\xe2\x81\xa8"); // U+2068 FSI character
++    data += QString::fromUtf8("\xe2\x81\xa7"); // U+2067 RLI character
++
++    // duplicating the text
++    for (int i = 0; i < 10; i++)
++        data += data;
++
++    // Nothing to test. It must not crash in beginLayout().
++    QTextLayout tl(data);
++    tl.beginLayout();
++    tl.endLayout();
++}
++
+ QTEST_MAIN(tst_QTextLayout)
+ #include "tst_qtextlayout.moc"
+-- 
+2.16.3

diff --git a/dev-qt/qtcore/qtcore-5.12.3-r1.ebuild 
b/dev-qt/qtcore/qtcore-5.12.3-r1.ebuild
new file mode 100644
index 00000000000..ff88ef5f4ec
--- /dev/null
+++ b/dev-qt/qtcore/qtcore-5.12.3-r1.ebuild
@@ -0,0 +1,86 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+QT5_MODULE="qtbase"
+inherit qt5-build
+
+DESCRIPTION="Cross-platform application development framework"
+
+if [[ ${QT5_BUILD_TYPE} == release ]]; then
+       KEYWORDS="~arm ~x86"
+fi
+
+IUSE="icu systemd"
+
+DEPEND="
+       dev-libs/double-conversion:=
+       dev-libs/glib:2
+       dev-libs/libpcre2[pcre16,unicode]
+       sys-libs/zlib:=
+       icu? ( dev-libs/icu:= )
+       !icu? ( virtual/libiconv )
+       systemd? ( sys-apps/systemd:= )
+"
+RDEPEND="${DEPEND}
+       !<dev-qt/qtcore-4.8.7-r4:4
+"
+
+QT5_TARGET_SUBDIRS=(
+       src/tools/bootstrap
+       src/tools/moc
+       src/tools/rcc
+       src/tools/qfloat16-tables
+       src/corelib
+       src/tools/qlalr
+       doc
+)
+
+QT5_GENTOO_PRIVATE_CONFIG=(
+       !:network
+       !:sql
+       !:testlib
+       !:xml
+)
+
+PATCHES=( "${FILESDIR}/${P}-CVE-2019-18281.patch" )
+
+src_prepare() {
+       # don't add -O3 to CXXFLAGS, bug 549140
+       sed -i -e '/CONFIG\s*+=/s/optimize_full//' src/corelib/corelib.pro || 
die
+
+       # fix missing qt_version_tag symbol w/ LTO, bug 674382
+       sed -i -e 's/^gcc:ltcg/gcc/' src/corelib/global/global.pri || die
+
+       qt5-build_src_prepare
+}
+
+src_configure() {
+       local myconf=(
+               -no-feature-statx       # bug 672856
+               $(qt_use icu)
+               $(qt_use !icu iconv)
+               $(qt_use systemd journald)
+       )
+       qt5-build_src_configure
+}
+
+src_install() {
+       qt5-build_src_install
+
+       local flags=(
+               DBUS FREETYPE IMAGEFORMAT_JPEG IMAGEFORMAT_PNG
+               OPENGL OPENSSL SSL WIDGETS
+       )
+
+       for flag in ${flags[@]}; do
+               cat >> "${D%/}"/${QT5_HEADERDIR}/QtCore/qconfig.h <<- _EOF_ || 
die
+
+                       #if defined(QT_NO_${flag}) && defined(QT_${flag})
+                       # undef QT_NO_${flag}
+                       #elif !defined(QT_NO_${flag}) && !defined(QT_${flag})
+                       # define QT_NO_${flag}
+                       #endif
+               _EOF_
+       done
+}

Reply via email to