CVE-2023-32763

Gbp-Pq: Name CVE-2023-32763.patch

diff --git a/src/corelib/global/qnumeric_p.h b/src/corelib/global/qnumeric_p.h
index 0997b6ed4d304065e53ba8fdc7dd3d6a89d9f687..863f62e4bf267218e279733f5714b953d1e53546 100644 (file)
--- a/src/corelib/global/qnumeric_p.h
+++ b/src/corelib/global/qnumeric_p.h
@@ -238,6 +238,30 @@ static inline bool qt_is_finite(float d)
     }
 }
 
+/*
+ * The section that follows, i.e., the add_overflow() implementation, was taken
+ * from ./src/corelib/global/qnumeric_p.h in an older (i.e., pre-c++11) version
+ * (as of commit 5ff7a3d96e0ce0dcb3d388b53d038cdd40c7a975) of the upstream code:
+ * https://code.qt.io/cgit/qt/qtbase.git/tree/src/corelib/global/qnumeric_p.h?id=5ff7a3d96e0ce0dcb3d388b53d038cdd40c7a975
+ *
+ * These functions are needed to support part of the patch for CVE-2023-32763.
+ * The older versions are needed because enabling c++11 in this older version is
+ * not possible, as it breaks other parts of the build. Additionally, while the
+ * code from which this originates includes add_overflow implementations for
+ * both unsigned and signed operations, the specific implementation that is
+ * required for this patch is for signed addition, so that is the only method
+ * which has been backported.
+ */
+#include <limits>
+// Signed overflow math
+
+inline bool add_overflow(int v1, int v2, int *r)
+{
+    qint64 t = qint64(v1) + v2;
+    *r = static_cast<int>(t);
+    return t > std::numeric_limits<int>::max() || t < std::numeric_limits<int>::min();
+}
+
 QT_END_NAMESPACE
 
 #endif // QNUMERIC_P_H

diff --git a/src/gui/painting/qfixed_p.h b/src/gui/painting/qfixed_p.h
index d895a0d0122345a3a62a19ba8ec0d88c59a025ba..4cf4253d8563d8098df3d7df30427f77b05ee7fa 100644 (file)
--- a/src/gui/painting/qfixed_p.h
+++ b/src/gui/painting/qfixed_p.h
@@ -55,6 +55,7 @@
 
 #include "QtCore/qdebug.h"
 #include "QtCore/qpoint.h"
+#include <QtCore/private/qnumeric_p.h>
 #include "QtCore/qsize.h"
 
 QT_BEGIN_NAMESPACE
@@ -181,6 +182,14 @@ inline bool operator<(int i, const QFixed &f) { return (i<<6) < f.value(); }
 inline bool operator>(const QFixed &f, int i) { return f.value() > (i<<6); }
 inline bool operator>(int i, const QFixed &f) { return (i<<6) > f.value(); }
 
+inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
+{
+    int val;
+    bool result = add_overflow(v1.value(), v2.value(), &val);
+    r->setValue(val);
+    return result;
+}
+
 #ifndef QT_NO_DEBUG_STREAM
 inline QDebug &operator<<(QDebug &dbg, const QFixed &f)
 { return dbg << f.toReal(); }

diff --git a/src/gui/text/qtextlayout.cpp b/src/gui/text/qtextlayout.cpp
index 40a4c665e28a09bc28dd589f659392ef3bf2c40f..58f34b8db07325d7cd20646f029ea16d924994a3 100644 (file)
--- a/src/gui/text/qtextlayout.cpp
+++ b/src/gui/text/qtextlayout.cpp
@@ -1933,11 +1933,14 @@ found:
         eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
     } else {
         eng->minWidth = qMax(eng->minWidth, lbh.minw);
-        eng->maxWidth += line.textWidth;
+        if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth))
+            eng->maxWidth = QFIXED_MAX;
     }
 
-    if (line.textWidth > 0 && item < eng->layoutData->items.size())
-        eng->maxWidth += lbh.spaceData.textWidth;
+    if (line.textWidth > 0 && item < eng->layoutData->items.size()) {
+        if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, &eng->maxWidth))
+            eng->maxWidth = QFIXED_MAX;
+    }
     if (eng->option.flags() & QTextOption::IncludeTrailingSpaces)
         line.textWidth += lbh.spaceData.textWidth;
     if (lbh.spaceData.length) {