summaryrefslogtreecommitdiff
path: root/user/qt5-qtsvg/kde-lts.patch
blob: 13e611a4ae15ecae77187135aa531d426f5c9d3e (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197

From 62ad7cfc0290d2723e7c0afacfb7dbee6a1b0293 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20L=C3=B6hning?= <robert.loehning@qt.io>
Date: Wed, 17 Feb 2021 19:20:42 +0100
Subject: [PATCH 1/5] Avoid buffer overflow in isSupportedSvgFeature

Fixes oss-fuzz issue 29873.

Pick-to: 6.0 6.1
Change-Id: I382683aa2d7d3cf2d05a0b8c41ebf21d032fbd7c
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
(cherry picked from commit afde7ca3a40f524e40052df696f74190452b22cb)
---
 src/svg/qsvgstructure.cpp | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/svg/qsvgstructure.cpp b/src/svg/qsvgstructure.cpp
index b89608b5..89c9e4ec 100644
--- a/src/svg/qsvgstructure.cpp
+++ b/src/svg/qsvgstructure.cpp
@@ -255,9 +255,13 @@ inline static bool isSupportedSvgFeature(const QString &str)
     };
 
     if (str.length() <= MAX_WORD_LENGTH && str.length() >= MIN_WORD_LENGTH) {
+        const char16_t unicode44 = str.at(44).unicode();
+        const char16_t unicode45 = str.at(45).unicode();
+        if (unicode44 >= sizeof(asso_values) || unicode45 >= sizeof(asso_values))
+            return false;
         const int key = str.length()
-                        + asso_values[str.at(45).unicode()]
-                        + asso_values[str.at(44).unicode()];
+                        + asso_values[unicode45]
+                        + asso_values[unicode44];
         if (key <= MAX_HASH_VALUE && key >= 0)
             return str == QLatin1String(wordlist[key]);
     }
-- 
2.49.0

From 8d0ba96f68d8bf4ae2c6139ac88a026965bc6ef2 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <albert.astals.cid@kdab.com>
Date: Mon, 11 Oct 2021 11:13:57 +0200
Subject: [PATCH 2/5] Support font size not in pixels

Fixes: QTBUG-97422
Pick-to: 6.2
Change-Id: I4df2af0e657f241af69480e6e30d454870df51d8
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
(cherry picked from commit 4531aad935d55924a32212b339c657ce363a6c08)
---
 src/svg/qsvghandler.cpp | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
index dd9b7164..f37bf42e 100644
--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -1393,9 +1393,10 @@ static void parseFont(QSvgNode *node,
         case FontSizeNone:
             break;
         case FontSizeValue: {
-            QSvgHandler::LengthType dummy; // should always be pixel size
-            fontStyle->setSize(qMin(parseLength(attributes.fontSize, dummy, handler),
-                                    qreal(0xffff)));
+            QSvgHandler::LengthType type;
+            qreal fs = parseLength(attributes.fontSize, type, handler);
+            fs = convertToPixels(fs, true, type);
+            fontStyle->setSize(qMin(fs, qreal(0xffff)));
         }
             break;
         default:
-- 
2.49.0

From 1342b53893ed984198d0664db491e3f4e353b405 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <albert.astals.cid@kdab.com>
Date: Mon, 11 Oct 2021 11:11:26 +0200
Subject: [PATCH 3/5] Fix text x/y when the length is not in pixels

Fixes: QTBUG-97421
Pick-to: 6.2
Change-Id: I41f3cbf8e747530a67fe5074a988ba49aeb43b8e
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
(cherry picked from commit fc1e1878743bcaac0c81a4748a00d0042cc15815)
---
 src/svg/qsvghandler.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
index f37bf42e..836f9a65 100644
--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -3353,7 +3353,9 @@ static QSvgNode *createTextNode(QSvgNode *parent,
     //### editable and rotate not handled
     QSvgHandler::LengthType type;
     qreal nx = parseLength(x, type, handler);
+    nx = convertToPixels(nx, true, type);
     qreal ny = parseLength(y, type, handler);
+    ny = convertToPixels(ny, true, type);
 
     QSvgNode *text = new QSvgText(parent, QPointF(nx, ny));
     return text;
-- 
2.49.0

From 45d600c4f73ae4cdc4cd87f622d680375ba7f573 Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Fri, 5 Mar 2021 12:52:36 +0100
Subject: [PATCH 4/5] Improve parsing of "r"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Negative r values are illegal, and zero means empty for circles.

Pick-to: 6.1
Change-Id: Icb1d932f35909f71dafe1ee69eb2250eeb1bb2ad
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
(cherry picked from commit 4a88e194e6b243e83703ad83d95e49b2febed99e)
---
 src/svg/qsvghandler.cpp | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
index 836f9a65..222b6d89 100644
--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -2579,6 +2579,8 @@ static QSvgNode *createCircleNode(QSvgNode *parent,
     qreal ncx = toDouble(cx);
     qreal ncy = toDouble(cy);
     qreal nr  = toDouble(r);
+    if (nr < 0.0)
+        return nullptr;
 
     QRectF rect(ncx-nr, ncy-nr, nr*2, nr*2);
     QSvgNode *circle = new QSvgCircle(parent, rect);
@@ -3049,15 +3051,16 @@ static QSvgStyleProperty *createRadialGradientNode(QSvgNode *node,
 
     qreal ncx = 0.5;
     qreal ncy = 0.5;
-    qreal nr  = 0.5;
     if (!cx.isEmpty())
         ncx = toDouble(cx);
     if (!cy.isEmpty())
         ncy = toDouble(cy);
+
+    qreal nr = 0.0;
     if (!r.isEmpty())
         nr = toDouble(r);
-    if (nr < 0.5)
-        nr = 0.5;
+    if (nr <= 0.0)
+        return nullptr;
 
     qreal nfx = ncx;
     if (!fx.isEmpty())
-- 
2.49.0

From 9c149213f46b844607cf7db8f800d906db3a682f Mon Sep 17 00:00:00 2001
From: Eirik Aavitsland <eirik.aavitsland@qt.io>
Date: Mon, 25 Oct 2021 14:43:09 +0200
Subject: [PATCH 5/5] SVG Image reading: Reject oversize svgs as corrupt
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add an upper limit for height and width at 0xffff, same as jpeg.

Fixes: QTBUG-95891
Pick-to: 6.2 5.15 5.12
Change-Id: I0dbc80dab3aab9b4743548772fb63fa69ea21f8a
Reviewed-by: Robert Löhning <robert.loehning@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
(cherry picked from commit e544d8e457d52b543cae5c988f81237c7d6608da)

asturmlechner 2022-01-03: resolve conflict with preceding dev branch
  commit 0003ec68e9925a8386eb055e0030fe7f270aa56f.
---
 src/plugins/imageformats/svg/qsvgiohandler.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/plugins/imageformats/svg/qsvgiohandler.cpp b/src/plugins/imageformats/svg/qsvgiohandler.cpp
index 561e77e9..12e05748 100644
--- a/src/plugins/imageformats/svg/qsvgiohandler.cpp
+++ b/src/plugins/imageformats/svg/qsvgiohandler.cpp
@@ -191,6 +191,8 @@ bool QSvgIOHandler::read(QImage *image)
             }
         }
         if (!finalSize.isEmpty()) {
+            if (qMax(finalSize.width(), finalSize.height()) > 0xffff)
+                return false; // Assume corrupted file
             image->fill(d->backColor.rgba());
             QPainter p(image);
             d->r.render(&p, bounds);
-- 
2.49.0
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2025-08-11 09:18:39 +0000