From: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Date: Wed, 7 Feb 2024 11:12:42 +0000 (+0000)
Subject: cve-2023-32763
X-Git-Tag: archive/raspbian/6.4.2+dfsg-21.1+rpi1~16
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=29a794c6ef2c35235efa11923985e0a5056c1fa8;p=qt6-base.git

cve-2023-32763


Gbp-Pq: Name cve-2023-32763.diff
---

diff --git a/src/gui/painting/qfixed_p.h b/src/gui/painting/qfixed_p.h
index f3718a09..c0a13d05 100644
--- a/src/gui/painting/qfixed_p.h
+++ b/src/gui/painting/qfixed_p.h
@@ -18,6 +18,7 @@
 #include <QtGui/private/qtguiglobal_p.h>
 #include "QtCore/qdebug.h"
 #include "QtCore/qpoint.h"
+#include "QtCore/qnumeric.h"
 #include "QtCore/qsize.h"
 
 QT_BEGIN_NAMESPACE
@@ -136,6 +137,22 @@ constexpr inline QFixed operator+(uint i, QFixed d) { return d+i; }
 constexpr inline QFixed operator-(uint i, QFixed d) { return -(d-i); }
 // constexpr inline QFixed operator*(qreal d, QFixed d2) { return d2*d; }
 
+inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
+{
+    int val;
+    bool result = qAddOverflow(v1.value(), v2.value(), &val);
+    r->setValue(val);
+    return result;
+}
+
+inline bool qMulOverflow(QFixed v1, QFixed v2, QFixed *r)
+{
+    int val;
+    bool result = qMulOverflow(v1.value(), v2.value(), &val);
+    r->setValue(val);
+    return result;
+}
+
 #ifndef QT_NO_DEBUG_STREAM
 inline QDebug &operator<<(QDebug &dbg, QFixed f)
 { return dbg << f.toReal(); }
diff --git a/src/gui/text/qtextlayout.cpp b/src/gui/text/qtextlayout.cpp
index e3c69db7..1316d317 100644
--- a/src/gui/text/qtextlayout.cpp
+++ b/src/gui/text/qtextlayout.cpp
@@ -2105,11 +2105,14 @@ found:
         eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
     } else {
         eng->minWidth = qMax(eng->minWidth, lbh.minw);
-        eng->maxWidth += line.textWidth;
+        if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth))
+            eng->maxWidth = QFIXED_MAX;
     }
 
-    if (line.textWidth > 0 && item < eng->layoutData->items.size())
-        eng->maxWidth += lbh.spaceData.textWidth;
+    if (line.textWidth > 0 && item < eng->layoutData->items.size()) {
+        if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, &eng->maxWidth))
+            eng->maxWidth = QFIXED_MAX;
+    }
 
     line.textWidth += trailingSpace;
     if (lbh.spaceData.length) {