[neon/qt/qtsvg/Neon/testing] debian: Backport upstream commits to fix out of bounds read in QRadialFetchSimd.
Dmitry Shachnev
null at kde.org
Tue May 18 14:03:07 BST 2021
Git commit 85cdb60f69d27bd64504a99ef949fe36d25980a5 by Dmitry Shachnev.
Committed on 12/04/2021 at 17:32.
Pushed by sitter into branch 'Neon/testing'.
Backport upstream commits to fix out of bounds read in QRadialFetchSimd.
Closes: #986798.
M +3 -0 debian/changelog
A +35 -0 debian/patches/CVE-2021-3481.diff
A +1 -0 debian/patches/series
https://invent.kde.org/neon/qt/qtsvg/commit/85cdb60f69d27bd64504a99ef949fe36d25980a5
diff --git a/debian/changelog b/debian/changelog
index cd29c0c..8a32e25 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,8 @@
qtsvg-opensource-src (5.15.2-3) UNRELEASED; urgency=medium
+ [ Dmitry Shachnev ]
+ * Backport upstream commits to fix out of bounds read in QRadialFetchSimd
+ function (CVE-2021-3481, closes: #986798).
-- Debian Qt/KDE Maintainers <debian-qt-kde at lists.debian.org> Mon, 12 Apr 2021 20:22:26 +0300
diff --git a/debian/patches/CVE-2021-3481.diff b/debian/patches/CVE-2021-3481.diff
new file mode 100644
index 0000000..a5256f8
--- /dev/null
+++ b/debian/patches/CVE-2021-3481.diff
@@ -0,0 +1,35 @@
+Description: clamp parsed doubles to float representable values
+Origin: upstream, commits:
+ https://code.qt.io/cgit/qt/qtsvg.git/commit/?id=aceea78cc05ac8ff
+ https://code.qt.io/cgit/qt/qtsvg.git/commit/?id=bfd6ee0d8cf34b63
+Last-Update: 2021-04-12
+
+--- a/src/svg/qsvghandler.cpp
++++ b/src/svg/qsvghandler.cpp
+@@ -65,6 +65,7 @@
+ #include "private/qmath_p.h"
+
+ #include "float.h"
++#include <cmath>
+
+ QT_BEGIN_NAMESPACE
+
+@@ -672,6 +673,9 @@ static qreal toDouble(const QChar *&str)
+ val = -val;
+ } else {
+ val = QByteArray::fromRawData(temp, pos).toDouble();
++ // Do not tolerate values too wild to be represented normally by floats
++ if (qFpClassify(float(val)) != FP_NORMAL)
++ val = 0;
+ }
+ return val;
+
+@@ -3043,6 +3047,8 @@ static QSvgStyleProperty *createRadialGr
+ ncy = toDouble(cy);
+ if (!r.isEmpty())
+ nr = toDouble(r);
++ if (nr < 0.5)
++ nr = 0.5;
+
+ qreal nfx = ncx;
+ if (!fx.isEmpty())
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..b54f1fe
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-3481.diff
More information about the Neon-commits
mailing list