increase robustness of <img> tag in Text component

Origin: upstream, https://code.qt.io/cgit/qt/qtdeclarative.git/commit/?id=4aaf9bf21f7cc69d
Last-Update: 2025-12-09

For Text.StyledText, there was no protection against <img> tags
with very large widths or heights. This could cause an application
to spend a very long time processing a layout and sometimes crash
if the size was too large.

We reuse the internal coord limit in QPainter as our maximum size
here, similar to what we do in Qt Svg for instance.

For Text.RichText, there were no issues in release builds, but in
debug builds, you could trigger an overflow assert when rounding
the number if it exceeded INT_MAX. For this, we simply cap the
width and height at INT_MAX.

Gbp-Pq: Name CVE-2025-12385.patch

diff --git a/src/quick/items/qquicktextdocument.cpp b/src/quick/items/qquicktextdocument.cpp
index 021bbca0f6188b57108d84e36d5e1735a13cea17..2535af6b5372b50033f40bd317d94c5c850595a8 100644 (file)
--- a/src/quick/items/qquicktextdocument.cpp
+++ b/src/quick/items/qquicktextdocument.cpp
@@ -137,10 +137,9 @@ QSizeF QQuickTextDocumentWithImageResources::intrinsicSize(
 {
     if (format.isImageFormat()) {
         QTextImageFormat imageFormat = format.toImageFormat();
-
-        const int width = qRound(imageFormat.width());
+        const int width = qRound(qBound(qreal(INT_MIN), imageFormat.width(), qreal(INT_MAX)));
         const bool hasWidth = imageFormat.hasProperty(QTextFormat::ImageWidth) && width > 0;
-        const int height = qRound(imageFormat.height());
+        const int height = qRound(qBound(qreal(INT_MIN), imageFormat.height(), qreal(INT_MAX)));
         const bool hasHeight = imageFormat.hasProperty(QTextFormat::ImageHeight) && height > 0;
 
         QSizeF size(width, height);

diff --git a/src/quick/util/qquickstyledtext.cpp b/src/quick/util/qquickstyledtext.cpp
index a25af90414bc4e29efe02c773bf19645a272b93c..120a2593d3da5dafe65acc5d4944db3398e4d4f4 100644 (file)
--- a/src/quick/util/qquickstyledtext.cpp
+++ b/src/quick/util/qquickstyledtext.cpp
@@ -45,6 +45,11 @@
 #include <qmath.h>
 #include "qquickstyledtext_p.h"
 #include <QQmlContext>
+#include <QtGui/private/qoutlinemapper_p.h>
+
+#ifndef QQUICKSTYLEDPARSER_COORD_LIMIT
+#  define QQUICKSTYLEDPARSER_COORD_LIMIT QT_RASTER_COORD_LIMIT
+#endif
 
 Q_LOGGING_CATEGORY(lcStyledText, "qt.quick.styledtext")
 
@@ -694,9 +699,19 @@ void QQuickStyledTextPrivate::parseImageAttributes(const QChar *&ch, const QStri
             if (attr.first == QLatin1String("src")) {
                 image->url =  QUrl(attr.second.toString());
             } else if (attr.first == QLatin1String("width")) {
-                image->size.setWidth(attr.second.toString().toInt());
+                bool ok;
+                int v = attr.second.toString().toInt(&ok);
+                if (ok && v <= QQUICKSTYLEDPARSER_COORD_LIMIT)
+                    image->size.setWidth(v);
+                else
+                    qCWarning(lcStyledText) << "Invalid width provided for <img>";
             } else if (attr.first == QLatin1String("height")) {
-                image->size.setHeight(attr.second.toString().toInt());
+                bool ok;
+                int v = attr.second.toString().toInt(&ok);
+                if (ok && v <= QQUICKSTYLEDPARSER_COORD_LIMIT)
+                    image->size.setHeight(v);
+                else
+                    qCWarning(lcStyledText) << "Invalid height provided for <img>";
             } else if (attr.first == QLatin1String("align")) {
                 if (attr.second.toString() == QLatin1String("top")) {
                     image->align = QQuickStyledTextImgTag::Top;