[neon/qt/qtsvg/Neon/testing] debian: Backport upstream commits to fix out of bounds read in QRadialFetchSimd.

Dmitry Shachnev null at kde.org
Tue May 18 14:03:07 BST 2021 

Git commit 85cdb60f69d27bd64504a99ef949fe36d25980a5 by Dmitry Shachnev.
Committed on 12/04/2021 at 17:32.
Pushed by sitter into branch 'Neon/testing'.

Backport upstream commits to fix out of bounds read in QRadialFetchSimd.

Closes: #986798.

M  +3    -0    debian/changelog
A  +35   -0    debian/patches/CVE-2021-3481.diff
A  +1    -0    debian/patches/series

https://invent.kde.org/neon/qt/qtsvg/commit/85cdb60f69d27bd64504a99ef949fe36d25980a5

diff --git a/debian/changelog b/debian/changelog
index cd29c0c..8a32e25 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,8 @@
 qtsvg-opensource-src (5.15.2-3) UNRELEASED; urgency=medium
 
+  [ Dmitry Shachnev ]
+  * Backport upstream commits to fix out of bounds read in QRadialFetchSimd
+    function (CVE-2021-3481, closes: #986798).
 
  -- Debian Qt/KDE Maintainers <debian-qt-kde at lists.debian.org>  Mon, 12 Apr 2021 20:22:26 +0300
 
diff --git a/debian/patches/CVE-2021-3481.diff b/debian/patches/CVE-2021-3481.diff
new file mode 100644
index 0000000..a5256f8
--- /dev/null
+++ b/debian/patches/CVE-2021-3481.diff
@@ -0,0 +1,35 @@
+Description: clamp parsed doubles to float representable values
+Origin: upstream, commits:
+ https://code.qt.io/cgit/qt/qtsvg.git/commit/?id=aceea78cc05ac8ff
+ https://code.qt.io/cgit/qt/qtsvg.git/commit/?id=bfd6ee0d8cf34b63
+Last-Update: 2021-04-12
+
+--- a/src/svg/qsvghandler.cpp
++++ b/src/svg/qsvghandler.cpp
+@@ -65,6 +65,7 @@
+ #include "private/qmath_p.h"
+ 
+ #include "float.h"
++#include <cmath>
+ 
+ QT_BEGIN_NAMESPACE
+ 
+@@ -672,6 +673,9 @@ static qreal toDouble(const QChar *&str)
+             val = -val;
+     } else {
+         val = QByteArray::fromRawData(temp, pos).toDouble();
++        // Do not tolerate values too wild to be represented normally by floats
++        if (qFpClassify(float(val)) != FP_NORMAL)
++            val = 0;
+     }
+     return val;
+ 
+@@ -3043,6 +3047,8 @@ static QSvgStyleProperty *createRadialGr
+         ncy = toDouble(cy);
+     if (!r.isEmpty())
+         nr = toDouble(r);
++    if (nr < 0.5)
++        nr = 0.5;
+ 
+     qreal nfx = ncx;
+     if (!fx.isEmpty())
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..b54f1fe
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-3481.diff

More information about the Neon-commits mailing list