From: Debian Qt/KDE Maintainers Date: Thu, 11 Dec 2025 10:02:24 +0000 (+0300) Subject: increase robustness of tag in Text component X-Git-Tag: archive/raspbian/5.15.17+dfsg-4+rpi1^2~9 X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/cgi/%22https:/%22bookmarks:///%22http:/www.example.com/cgi/%22https:/%22bookmarks:/?a=commitdiff_plain;h=70d3e46827957b27fd6567fc953c86cccae9bdf8;p=qtdeclarative-opensource-src.git increase robustness of tag in Text component Origin: upstream, https://code.qt.io/cgit/qt/qtdeclarative.git/commit/?id=4aaf9bf21f7cc69d Last-Update: 2025-12-09 For Text.StyledText, there was no protection against tags with very large widths or heights. This could cause an application to spend a very long time processing a layout and sometimes crash if the size was too large. We reuse the internal coord limit in QPainter as our maximum size here, similar to what we do in Qt Svg for instance. For Text.RichText, there were no issues in release builds, but in debug builds, you could trigger an overflow assert when rounding the number if it exceeded INT_MAX. For this, we simply cap the width and height at INT_MAX. Gbp-Pq: Name CVE-2025-12385.patch --- diff --git a/src/quick/items/qquicktextdocument.cpp b/src/quick/items/qquicktextdocument.cpp index 021bbca0f..2535af6b5 100644 --- a/src/quick/items/qquicktextdocument.cpp +++ b/src/quick/items/qquicktextdocument.cpp @@ -137,10 +137,9 @@ QSizeF QQuickTextDocumentWithImageResources::intrinsicSize( { if (format.isImageFormat()) { QTextImageFormat imageFormat = format.toImageFormat(); - - const int width = qRound(imageFormat.width()); + const int width = qRound(qBound(qreal(INT_MIN), imageFormat.width(), qreal(INT_MAX))); const bool hasWidth = imageFormat.hasProperty(QTextFormat::ImageWidth) && width > 0; - const int height = qRound(imageFormat.height()); + const int height = qRound(qBound(qreal(INT_MIN), imageFormat.height(), qreal(INT_MAX))); const bool hasHeight = imageFormat.hasProperty(QTextFormat::ImageHeight) && height > 0; QSizeF size(width, height); diff --git a/src/quick/util/qquickstyledtext.cpp b/src/quick/util/qquickstyledtext.cpp index a25af9041..120a2593d 100644 --- a/src/quick/util/qquickstyledtext.cpp +++ b/src/quick/util/qquickstyledtext.cpp @@ -45,6 +45,11 @@ #include #include "qquickstyledtext_p.h" #include +#include + +#ifndef QQUICKSTYLEDPARSER_COORD_LIMIT +# define QQUICKSTYLEDPARSER_COORD_LIMIT QT_RASTER_COORD_LIMIT +#endif Q_LOGGING_CATEGORY(lcStyledText, "qt.quick.styledtext") @@ -694,9 +699,19 @@ void QQuickStyledTextPrivate::parseImageAttributes(const QChar *&ch, const QStri if (attr.first == QLatin1String("src")) { image->url = QUrl(attr.second.toString()); } else if (attr.first == QLatin1String("width")) { - image->size.setWidth(attr.second.toString().toInt()); + bool ok; + int v = attr.second.toString().toInt(&ok); + if (ok && v <= QQUICKSTYLEDPARSER_COORD_LIMIT) + image->size.setWidth(v); + else + qCWarning(lcStyledText) << "Invalid width provided for "; } else if (attr.first == QLatin1String("height")) { - image->size.setHeight(attr.second.toString().toInt()); + bool ok; + int v = attr.second.toString().toInt(&ok); + if (ok && v <= QQUICKSTYLEDPARSER_COORD_LIMIT) + image->size.setHeight(v); + else + qCWarning(lcStyledText) << "Invalid height provided for "; } else if (attr.first == QLatin1String("align")) { if (attr.second.toString() == QLatin1String("top")) { image->align = QQuickStyledTextImgTag::Top;