From 5bdcc32b312e5d6f66cff52c22f203891f2d9942 Mon Sep 17 00:00:00 2001 From: Debian Qt/KDE Maintainers Date: Tue, 22 Aug 2023 14:42:24 +0100 Subject: [PATCH] CVE-2023-32763 Gbp-Pq: Name CVE-2023-32763.patch --- src/corelib/global/qnumeric_p.h | 24 ++++++++++++++++++++++++ src/gui/painting/qfixed_p.h | 9 +++++++++ src/gui/text/qtextlayout.cpp | 9 ++++++--- 3 files changed, 39 insertions(+), 3 deletions(-) diff --git a/src/corelib/global/qnumeric_p.h b/src/corelib/global/qnumeric_p.h index 0997b6ed4..863f62e4b 100644 --- a/src/corelib/global/qnumeric_p.h +++ b/src/corelib/global/qnumeric_p.h @@ -238,6 +238,30 @@ static inline bool qt_is_finite(float d) } } +/* + * The section that follows, i.e., the add_overflow() implementation, was taken + * from ./src/corelib/global/qnumeric_p.h in an older (i.e., pre-c++11) version + * (as of commit 5ff7a3d96e0ce0dcb3d388b53d038cdd40c7a975) of the upstream code: + * https://code.qt.io/cgit/qt/qtbase.git/tree/src/corelib/global/qnumeric_p.h?id=5ff7a3d96e0ce0dcb3d388b53d038cdd40c7a975 + * + * These functions are needed to support part of the patch for CVE-2023-32763. + * The older versions are needed because enabling c++11 in this older version is + * not possible, as it breaks other parts of the build. Additionally, while the + * code from which this originates includes add_overflow implementations for + * both unsigned and signed operations, the specific implementation that is + * required for this patch is for signed addition, so that is the only method + * which has been backported. + */ +#include +// Signed overflow math + +inline bool add_overflow(int v1, int v2, int *r) +{ + qint64 t = qint64(v1) + v2; + *r = static_cast(t); + return t > std::numeric_limits::max() || t < std::numeric_limits::min(); +} + QT_END_NAMESPACE #endif // QNUMERIC_P_H diff --git a/src/gui/painting/qfixed_p.h b/src/gui/painting/qfixed_p.h index d895a0d01..4cf4253d8 100644 --- a/src/gui/painting/qfixed_p.h +++ b/src/gui/painting/qfixed_p.h @@ -55,6 +55,7 @@ #include "QtCore/qdebug.h" #include "QtCore/qpoint.h" +#include #include "QtCore/qsize.h" QT_BEGIN_NAMESPACE @@ -181,6 +182,14 @@ inline bool operator<(int i, const QFixed &f) { return (i<<6) < f.value(); } inline bool operator>(const QFixed &f, int i) { return f.value() > (i<<6); } inline bool operator>(int i, const QFixed &f) { return (i<<6) > f.value(); } +inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r) +{ + int val; + bool result = add_overflow(v1.value(), v2.value(), &val); + r->setValue(val); + return result; +} + #ifndef QT_NO_DEBUG_STREAM inline QDebug &operator<<(QDebug &dbg, const QFixed &f) { return dbg << f.toReal(); } diff --git a/src/gui/text/qtextlayout.cpp b/src/gui/text/qtextlayout.cpp index 40a4c665e..58f34b8db 100644 --- a/src/gui/text/qtextlayout.cpp +++ b/src/gui/text/qtextlayout.cpp @@ -1933,11 +1933,14 @@ found: eng->maxWidth = qMax(eng->maxWidth, line.textWidth); } else { eng->minWidth = qMax(eng->minWidth, lbh.minw); - eng->maxWidth += line.textWidth; + if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth)) + eng->maxWidth = QFIXED_MAX; } - if (line.textWidth > 0 && item < eng->layoutData->items.size()) - eng->maxWidth += lbh.spaceData.textWidth; + if (line.textWidth > 0 && item < eng->layoutData->items.size()) { + if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, &eng->maxWidth)) + eng->maxWidth = QFIXED_MAX; + } if (eng->option.flags() & QTextOption::IncludeTrailingSpaces) line.textWidth += lbh.spaceData.textWidth; if (lbh.spaceData.length) { -- 2.30.2