[neon/qt/qtbase/Neon/release] debian: Fix massive memory consumption when rendering specially crafted SVG files.
Dmitry Shachnev
null at kde.org
Thu May 5 10:59:25 BST 2022
Git commit 06bc2544d19a7c8a5440f31994cab2cbc8f88d7a by Dmitry Shachnev.
Committed on 27/11/2021 at 18:12.
Pushed by jriddell into branch 'Neon/release'.
Fix massive memory consumption when rendering specially crafted SVG files.
This fixes CVE-2021-38593.
LP: #1950193.
M +3 -0 debian/changelog
A +84 -0 debian/patches/CVE-2021-38593.diff
M +1 -0 debian/patches/series
https://invent.kde.org/neon/qt/qtbase/commit/06bc2544d19a7c8a5440f31994cab2cbc8f88d7a
diff --git a/debian/changelog b/debian/changelog
index 7c6c031..7dbdc27 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,8 @@
qtbase-opensource-src (5.15.2+dfsg-14) UNRELEASED; urgency=medium
+ [ Dmitry Shachnev ]
+ * Backport four upstream commits to fix massive memory consumption when
+ rendering specially crafted SVG files (CVE-2021-38593, LP: #1950193).
-- Debian Qt/KDE Maintainers <debian-qt-kde at lists.debian.org> Sat, 27 Nov 2021 21:06:09 +0300
diff --git a/debian/patches/CVE-2021-38593.diff b/debian/patches/CVE-2021-38593.diff
new file mode 100644
index 0000000..b659fc8
--- /dev/null
+++ b/debian/patches/CVE-2021-38593.diff
@@ -0,0 +1,84 @@
+Description: avoid processing-intensive painting of high number of tiny dashes
+ When stroking a dashed path, an unnecessary amount of processing would
+ be spent if there is a huge number of dashes visible, e.g. because of
+ scaling. Since the dashes are too small to be individually visible
+ anyway, just replace with a semi-transparent solid line for such
+ cases.
+Origin: upstream, commits:
+ https://code.qt.io/cgit/qt/qtbase.git/commit/?id=f4d791b330d02777
+ https://code.qt.io/cgit/qt/qtbase.git/commit/?id=6b400e3147dcfd8c
+ https://code.qt.io/cgit/qt/qtbase.git/commit/?id=84aba80944a2e1c3
+ https://code.qt.io/cgit/qt/qtbase.git/commit/?id=81a7344e1dea5622
+Last-Update: 2021-11-27
+
+--- a/src/gui/painting/qpaintengineex.cpp
++++ b/src/gui/painting/qpaintengineex.cpp
+@@ -385,10 +385,10 @@ QPainterState *QPaintEngineEx::createSta
+
+ Q_GUI_EXPORT extern bool qt_scaleForTransform(const QTransform &transform, qreal *scale); // qtransform.cpp
+
+-void QPaintEngineEx::stroke(const QVectorPath &path, const QPen &pen)
++void QPaintEngineEx::stroke(const QVectorPath &path, const QPen &inPen)
+ {
+ #ifdef QT_DEBUG_DRAW
+- qDebug() << "QPaintEngineEx::stroke()" << pen;
++ qDebug() << "QPaintEngineEx::stroke()" << inPen;
+ #endif
+
+ Q_D(QPaintEngineEx);
+@@ -403,6 +403,38 @@ void QPaintEngineEx::stroke(const QVecto
+ d->stroker.setCubicToHook(qpaintengineex_cubicTo);
+ }
+
++ QRectF clipRect;
++ QPen pen = inPen;
++ if (pen.style() > Qt::SolidLine) {
++ QRectF cpRect = path.controlPointRect();
++ const QTransform &xf = state()->matrix;
++ if (qt_pen_is_cosmetic(pen, state()->renderHints)) {
++ clipRect = d->exDeviceRect;
++ cpRect.translate(xf.dx(), xf.dy());
++ } else {
++ clipRect = xf.inverted().mapRect(QRectF(d->exDeviceRect));
++ }
++ // Check to avoid generating unwieldy amount of dashes that will not be visible anyway
++ qreal pw = pen.widthF() ? pen.widthF() : 1;
++ QRectF extentRect = cpRect.adjusted(-pw, -pw, pw, pw) & clipRect;
++ qreal extent = qMax(extentRect.width(), extentRect.height());
++ qreal patternLength = 0;
++ const QVector<qreal> pattern = pen.dashPattern();
++ const int patternSize = qMin(pattern.size(), 32);
++ for (int i = 0; i < patternSize; i++)
++ patternLength += qMax(pattern.at(i), qreal(0));
++ patternLength *= pw;
++ if (qFuzzyIsNull(patternLength)) {
++ pen.setStyle(Qt::NoPen);
++ } else if (extent / patternLength > 10000) {
++ // approximate stream of tiny dashes with semi-transparent solid line
++ pen.setStyle(Qt::SolidLine);
++ QColor color(pen.color());
++ color.setAlpha(color.alpha() / 2);
++ pen.setColor(color);
++ }
++ }
++
+ if (!qpen_fast_equals(pen, d->strokerPen)) {
+ d->strokerPen = pen;
+ d->stroker.setJoinStyle(pen.joinStyle());
+@@ -430,14 +462,8 @@ void QPaintEngineEx::stroke(const QVecto
+ return;
+ }
+
+- if (pen.style() > Qt::SolidLine) {
+- if (qt_pen_is_cosmetic(pen, state()->renderHints)){
+- d->activeStroker->setClipRect(d->exDeviceRect);
+- } else {
+- QRectF clipRect = state()->matrix.inverted().mapRect(QRectF(d->exDeviceRect));
+- d->activeStroker->setClipRect(clipRect);
+- }
+- }
++ if (!clipRect.isNull())
++ d->activeStroker->setClipRect(clipRect);
+
+ if (d->activeStroker == &d->stroker)
+ d->stroker.setForceOpen(path.hasExplicitOpen());
diff --git a/debian/patches/series b/debian/patches/series
index 20e561f..8c127ef 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,6 +13,7 @@ full_width_selection_rtl.diff
xcb_add_a_timeout_control_when_reading_INCR_property.diff
fix_recursion_crash.diff
mysql_field_readonly.diff
+CVE-2021-38593.diff
# Debian specific.
gnukfreebsd.diff
More information about the Neon-commits
mailing list