user/qt5: Update to 5.12.9

4 files changed, 169 insertions, 92 deletions

diff --git a/user/qt5-qtbase/APKBUILD b/user/qt5-qtbase/APKBUILD
index 8e51ff124..3f5bc413b 100644
--- a/user/qt5-qtbase/APKBUILD
+++ b/user/qt5-qtbase/APKBUILD
@@ -1,8 +1,8 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=qt5-qtbase
 _pkgname=qtbase-everywhere-src
-pkgver=5.12.6
-pkgrel=2
+pkgver=5.12.9
+pkgrel=0
 pkgdesc="Cross-platform application and UI framework"
 url="https://www.qt.io/"
 arch="all"
@@ -27,8 +27,7 @@ source="https://download.qt.io/official_releases/qt/${pkgver%.*}/$pkgver/submodu
 	link-to-execinfo.patch
 	qt-musl-iconv-no-bom.patch
 	time64.patch
-	CVE-2020-0569.patch
-	CVE-2020-0570.patch
+	CVE-2020-17507.patch
 	section-header.patch
 	"
 
@@ -42,6 +41,10 @@ source="https://download.qt.io/official_releases/qt/${pkgver%.*}/$pkgver/submodu
 #   5.12.6-r1:
 #     - CVE-2020-0569
 #     - CVE-2020-0570
+#   5.12.9-r0:
+#     - CVE-2015-9541
+#     - CVE-2020-13962
+#     - CVE-2020-17507
 
 _qt5_prefix=/usr/lib/qt5
 _qt5_datadir=/usr/share/qt5
@@ -95,7 +98,7 @@ build() {
 		-system-zlib \
 		-translationdir "$_qt5_datadir"/translations \
 		-no-reduce-relocations \
-		-debug -optimize-debug -force-debug-info \
+		-force-debug-info \
 		$ARCH_OPTS
 	make
 }
@@ -177,11 +180,10 @@ x11() {
 	return 0
 }
 
-sha512sums="5fb82d903b0db95c23c55785047722dea7979e7f94ecaaf374e0c73b4787aabd768a1c79482a091b8b11f61d7bd4fb891675a6842b90cdc9caaa3b393a3187c6  qtbase-everywhere-src-5.12.6.tar.xz
+sha512sums="40916f73e44dbcab2a3196063d491d5563ec3de583436dac25ecf219aea6e7eb55c46ce8b1c761980f90495b91c89bd5239bd081636054311fee6420750319b0  qtbase-everywhere-src-5.12.9.tar.xz
 d00dc607b71a93132f756b952871df9197cfd6d78cc3617544bfa11d7f0eea21ce5dd0d1aeb69dd2702a5694a63d3802accc76499dbf414c01eb56421698cb0c  big-endian-scroll-wheel.patch
 ee78a44e28ba5f728914bfc3d8d5b467896c7de11a02d54b0bce11e40a4338b1f776c1fcc30cbd436df4f548c1ab0b4fe801f01b162ddd5c0f892893e227acfd  link-to-execinfo.patch
 e3982b2df2ab4ba53b7a1329a9eb928eb1fee813c61cf6ac03d3300a767ffb57f019ac0fd89f633cac2330549446ff3d43344871296bf362815e7ebffadefa6b  qt-musl-iconv-no-bom.patch
 436f0bb7a89a88aa62c7b0398c4e91c325e78542e96f747c903f7e96dbf9d9b693d9688c722f2a74e287fb9ab31e861bd5ed8deb172ed28f56a1b8757663771c  time64.patch
-ddeb0a59cf0901b38669314fd2f14dffba63c6cbd06a3d864cd329081cc2b10323ec52053a6ffe7baf5ee8a1e137331acfe5d874c03596660630dd151828da56  CVE-2020-0569.patch
-b5973799d6dc7c03124b7df5424e5fa84cb81ec3b997e039b84cca21852abaf4ff61780b99c47f1fd6ce64ae61f61b2458ca2929e068644f1973a6f1c53a4d64  CVE-2020-0570.patch
+9ebf15139025d76ff103a1ae77973136b2f883a38dc54febfa44f08060f41ee13016668c96a29c62dcc458125516ba8bdb899b1ab5604dc976b4f72e513bb682  CVE-2020-17507.patch
 47b2973561965e3ef906f03480b3877ad0018f32d31fecb4c410abe22c68ccad7d232cfe68804b70111616e15b979fb26642225b984d8fdbfc6cf6899ad63a0d  section-header.patch"
diff --git a/user/qt5-qtbase/CVE-2020-0569.patch b/user/qt5-qtbase/CVE-2020-0569.patch
deleted file mode 100644
index fa0efdce3..000000000
--- a/user/qt5-qtbase/CVE-2020-0569.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From bf131e8d2181b3404f5293546ed390999f760404 Mon Sep 17 00:00:00 2001
-From: Olivier Goffart <ogoffart@woboq.com>
-Date: Fri, 8 Nov 2019 11:30:40 +0100
-Subject: Do not load plugin from the $PWD
-
-I see no reason why this would make sense to look for plugins in the current
-directory. And when there are plugins there, it may actually be wrong
-
-Change-Id: I5f5aa168021fedddafce90effde0d5762cd0c4c5
-Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
----
- src/corelib/plugin/qpluginloader.cpp | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/src/corelib/plugin/qpluginloader.cpp b/src/corelib/plugin/qpluginloader.cpp
-index cadff4f32b..c2443dbdda 100644
---- a/src/corelib/plugin/qpluginloader.cpp
-+++ b/src/corelib/plugin/qpluginloader.cpp
-@@ -305,7 +305,6 @@ static QString locatePlugin(const QString& fileName)
-         paths.append(fileName.left(slash)); // don't include the '/'
-     } else {
-         paths = QCoreApplication::libraryPaths();
--        paths.prepend(QStringLiteral(".")); // search in current dir first
-     }
- 
-     for (const QString &path : qAsConst(paths)) {
--- 
-cgit v1.2.1
-
diff --git a/user/qt5-qtbase/CVE-2020-0570.patch b/user/qt5-qtbase/CVE-2020-0570.patch
deleted file mode 100644
index dcf507c0d..000000000
--- a/user/qt5-qtbase/CVE-2020-0570.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From e6f1fde24f77f63fb16b2df239f82a89d2bf05dd Mon Sep 17 00:00:00 2001
-From: Thiago Macieira <thiago.macieira@intel.com>
-Date: Fri, 10 Jan 2020 09:26:27 -0800
-Subject: QLibrary/Unix: do not attempt to load a library relative to $PWD
-
-I added the code in commit 5219c37f7c98f37f078fee00fe8ca35d83ff4f5d to
-find libraries in a haswell/ subdir of the main path, but we only need
-to do that transformation if the library is contains at least one
-directory seprator. That is, if the user asks to load "lib/foo", then we
-should try "lib/haswell/foo" (often, the path prefix will be absolute).
-
-When the library name the user requested has no directory separators, we
-let dlopen() do the transformation for us. Testing on Linux confirms
-glibc does so:
-
-$ LD_DEBUG=libs /lib64/ld-linux-x86-64.so.2 --inhibit-cache ./qml -help |& grep Xcursor
-   1972475:     find library=libXcursor.so.1 [0]; searching
-   1972475:       trying file=/usr/lib64/haswell/avx512_1/libXcursor.so.1
-   1972475:       trying file=/usr/lib64/haswell/libXcursor.so.1
-   1972475:       trying file=/usr/lib64/libXcursor.so.1
-   1972475:     calling init: /usr/lib64/libXcursor.so.1
-   1972475:     calling fini: /usr/lib64/libXcursor.so.1 [0]
-
-Fixes: QTBUG-81272
-Change-Id: I596aec77785a4e4e84d5fffd15e89689bb91ffbb
-Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
----
- src/corelib/plugin/qlibrary_unix.cpp | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/src/corelib/plugin/qlibrary_unix.cpp b/src/corelib/plugin/qlibrary_unix.cpp
-index f0de1010d7..135b82cd37 100644
---- a/src/corelib/plugin/qlibrary_unix.cpp
-+++ b/src/corelib/plugin/qlibrary_unix.cpp
-@@ -1,7 +1,7 @@
- /****************************************************************************
- **
- ** Copyright (C) 2016 The Qt Company Ltd.
--** Copyright (C) 2018 Intel Corporation
-+** Copyright (C) 2020 Intel Corporation
- ** Contact: https://www.qt.io/licensing/
- **
- ** This file is part of the QtCore module of the Qt Toolkit.
-@@ -218,6 +218,8 @@ bool QLibraryPrivate::load_sys()
-         for(int suffix = 0; retry && !pHnd && suffix < suffixes.size(); suffix++) {
-             if (!prefixes.at(prefix).isEmpty() && name.startsWith(prefixes.at(prefix)))
-                 continue;
-+            if (path.isEmpty() && prefixes.at(prefix).contains(QLatin1Char('/')))
-+                continue;
-             if (!suffixes.at(suffix).isEmpty() && name.endsWith(suffixes.at(suffix)))
-                 continue;
-             if (loadHints & QLibrary::LoadArchiveMemberHint) {
--- 
-cgit v1.2.1
-
diff --git a/user/qt5-qtbase/CVE-2020-17507.patch b/user/qt5-qtbase/CVE-2020-17507.patch
new file mode 100644
index 000000000..126b55c96
--- /dev/null
+++ b/user/qt5-qtbase/CVE-2020-17507.patch
@@ -0,0 +1,159 @@
+From 5b2f75388424995925a0e45654a0d509b290aaa0 Mon Sep 17 00:00:00 2001
+From: Robert Loehning <robert.loehning@qt.io>
+Date: Thu, 9 Jul 2020 13:33:34 +0200
+Subject: [PATCH] Fix buffer overflow
+
+Fixes: oss-fuzz-23988
+Change-Id: I4efdbfc3c0a96917c0c8224642896088ade99f35
+Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
+(cherry picked from commit e80be8a43da78b9544f12fbac47e92c7f1f64366)
+Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
+---
+ src/gui/image/qxpmhandler.cpp                               | 2 +-
+ tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm | 1 +
+ tests/auto/gui/image/qimagereader/tst_qimagereader.cpp      | 8 ++++++++
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+ create mode 100644 tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm
+
+diff --git a/src/gui/image/qxpmhandler.cpp b/src/gui/image/qxpmhandler.cpp
+index 17272ffe69b..417dab7ce3f 100644
+--- a/src/gui/image/qxpmhandler.cpp
++++ b/src/gui/image/qxpmhandler.cpp
+@@ -973,7 +973,7 @@ static bool read_xpm_body(
+             } else {
+                 char b[16];
+                 b[cpp] = '\0';
+-                for (x=0; x<w && d<end; x++) {
++                for (x=0; x<w && d+cpp<end; x++) {
+                     memcpy(b, (char *)d, cpp);
+                     *p++ = (uchar)colorMap[xpmHash(b)];
+                     d += cpp;
+diff --git a/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm b/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm
+new file mode 100644
+index 00000000000..7e6c1e4ca2e
+--- /dev/null
++++ b/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm
+@@ -0,0 +1 @@
++/* XPM "20 8 1 7""    ÿÿ c  ÿ"  "             ÿÿÿÿÿÿÿ                " 
+\ No newline at end of file
+diff --git a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
+index 1eee2f273ef..0135e48c7df 100644
+--- a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
++++ b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
+@@ -167,6 +167,8 @@ private slots:
+     void devicePixelRatio_data();
+     void devicePixelRatio();
+ 
++    void xpmBufferOverflow();
++
+ private:
+     QString prefix;
+     QTemporaryDir m_temporaryDir;
+@@ -2002,5 +2004,11 @@ void tst_QImageReader::devicePixelRatio()
+     QCOMPARE(img.devicePixelRatio(), dpr);
+ }
+ 
++void tst_QImageReader::xpmBufferOverflow()
++{
++    // Please note that the overflow only showed when Qt was configured with "-sanitize address".
++    QImageReader(":/images/oss-fuzz-23988.xpm").read();
++}
++
+ QTEST_MAIN(tst_QImageReader)
+ #include "tst_qimagereader.moc"
+-- 
+2.16.3
+
+From 35ecd0b69d58bcc8113afc5e449aef841c73e26c Mon Sep 17 00:00:00 2001
+From: Allan Sandfeld Jensen <allan.jensen@qt.io>
+Date: Thu, 23 Jul 2020 11:48:48 +0200
+Subject: [PATCH] Fix buffer overflow in XBM parser
+
+Avoid parsing over the buffer limit, or interpreting non-hex
+as hex.
+
+This still leaves parsing of lines longer than 300 chars
+unreliable
+
+Change-Id: I1c57a7e530c4380f6f9040b2ec729ccd7dc7a5fb
+Reviewed-by: Robert Loehning <robert.loehning@qt.io>
+Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
+(cherry picked from commit c562c1fc19629fb505acd0f6380604840b634211)
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+---
+ src/gui/image/qxbmhandler.cpp                      |  4 ++-
+ .../gui/image/qimagereader/tst_qimagereader.cpp    | 37 ++++++++++++++++++++++
+ 2 files changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/src/gui/image/qxbmhandler.cpp b/src/gui/image/qxbmhandler.cpp
+index 7ba44049b48..8c4be4f0eda 100644
+--- a/src/gui/image/qxbmhandler.cpp
++++ b/src/gui/image/qxbmhandler.cpp
+@@ -158,7 +158,9 @@ static bool read_xbm_body(QIODevice *device, int w, int h, QImage *outImage)
+     w = (w+7)/8;                                // byte width
+ 
+     while (y < h) {                                // for all encoded bytes...
+-        if (p) {                                // p = "0x.."
++        if (p && p < (buf + readBytes - 3)) {      // p = "0x.."
++            if (!isxdigit(p[2]) || !isxdigit(p[3]))
++                return false;
+             *b++ = hex2byte(p+2);
+             p += 2;
+             if (++x == w && ++y < h) {
+diff --git a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
+index 0135e48c7df..61b11a77794 100644
+--- a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
++++ b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
+@@ -168,6 +168,7 @@ private slots:
+     void devicePixelRatio();
+ 
+     void xpmBufferOverflow();
++    void xbmBufferHandling();
+ 
+ private:
+     QString prefix;
+@@ -2010,5 +2011,41 @@ void tst_QImageReader::xpmBufferOverflow()
+     QImageReader(":/images/oss-fuzz-23988.xpm").read();
+ }
+ 
++void tst_QImageReader::xbmBufferHandling()
++{
++    uint8_t original_buffer[256];
++    for (int i = 0; i < 256; ++i)
++        original_buffer[i] = i;
++
++    QImage image(original_buffer, 256, 8, QImage::Format_MonoLSB);
++    image.setColorTable({0xff000000, 0xffffffff});
++
++    QByteArray buffer;
++    {
++        QBuffer buf(&buffer);
++        QImageWriter writer(&buf, "xbm");
++        writer.write(image);
++    }
++
++    QCOMPARE(QImage::fromData(buffer, "xbm"), image);
++
++    auto i = buffer.indexOf(',');
++    buffer.insert(i + 1, "                                                                                ");
++    QCOMPARE(QImage::fromData(buffer, "xbm"), image);
++    buffer.insert(i + 1, "                                                                                ");
++    QCOMPARE(QImage::fromData(buffer, "xbm"), image);
++    buffer.insert(i + 1, "                                                                              ");
++#if 0   // Lines longer than 300 chars not supported currently
++    QCOMPARE(QImage::fromData(buffer, "xbm"), image);
++#endif
++
++    i = buffer.lastIndexOf("\n ");
++    buffer.truncate(i + 1);
++    buffer.append(QByteArray(297, ' '));
++    buffer.append("0x");
++    // Only check we get no buffer overflow
++    QImage::fromData(buffer, "xbm");
++}
++
+ QTEST_MAIN(tst_QImageReader)
+ #include "tst_qimagereader.moc"
+-- 
+2.16.3
+