diff -Nru qtbase-opensource-src-5.9.5+dfsg/debian/changelog qtbase-opensource-src-5.9.5+dfsg/debian/changelog --- qtbase-opensource-src-5.9.5+dfsg/debian/changelog 2020-07-30 22:49:52.000000000 +0000 +++ qtbase-opensource-src-5.9.5+dfsg/debian/changelog 2021-09-17 21:10:04.000000000 +0000 @@ -1,9 +1,27 @@ -qtbase-opensource-src (5.9.5+dfsg-0ubuntu2.5~16.04.sav0) xenial; urgency=medium +qtbase-opensource-src (5.9.5+dfsg-0ubuntu2.6~16.04.sav0) xenial; urgency=medium * Backport to Xenial * Update symbols from build logs - -- Rob Savoury Thu, 30 Jul 2020 15:49:52 -0700 + -- Rob Savoury Fri, 17 Sep 2021 14:10:04 -0700 + +qtbase-opensource-src (5.9.5+dfsg-0ubuntu2.6) bionic-security; urgency=medium + + * SECURITY UPDATE: buffer overread in read_xbm_body + - debian/patches/CVE-2020-17507.patch: fix buffer overflow in XBM + parser in src/gui/image/qxbmhandler.cpp, + tests/auto/gui/image/qimagereader/tst_qimagereader.cpp. + - CVE-2020-17507 + * SECURITY UPDATE: out-of-bounds write in QOutlineMapper::convertPath + - debian/patches/CVE-2021-38593-1.patch: avoid processing-intensive + painting of high number of tiny dashes in + src/gui/painting/qpaintengineex.cpp, + tests/auto/other/lancelot/scripts/tinydashes.qps. + - debian/patches/CVE-2021-38593-2.patch: improve fix for avoiding huge + number of tiny dashes in src/gui/painting/qpaintengineex.cpp. + - CVE-2021-38593 + + -- Marc Deslauriers Thu, 19 Aug 2021 09:17:52 -0400 qtbase-opensource-src (5.9.5+dfsg-0ubuntu2.5) bionic-security; urgency=medium diff -Nru qtbase-opensource-src-5.9.5+dfsg/debian/patches/CVE-2020-17507.patch qtbase-opensource-src-5.9.5+dfsg/debian/patches/CVE-2020-17507.patch --- qtbase-opensource-src-5.9.5+dfsg/debian/patches/CVE-2020-17507.patch 1970-01-01 00:00:00.000000000 +0000 +++ qtbase-opensource-src-5.9.5+dfsg/debian/patches/CVE-2020-17507.patch 2021-08-19 13:15:58.000000000 +0000 @@ -0,0 +1,89 @@ +Backport of: + +From 35ecd0b69d58bcc8113afc5e449aef841c73e26c Mon Sep 17 00:00:00 2001 +From: Allan Sandfeld Jensen +Date: Thu, 23 Jul 2020 11:48:48 +0200 +Subject: Fix buffer overflow in XBM parser + +Avoid parsing over the buffer limit, or interpreting non-hex +as hex. + +This still leaves parsing of lines longer than 300 chars +unreliable + +Change-Id: I1c57a7e530c4380f6f9040b2ec729ccd7dc7a5fb +Reviewed-by: Robert Loehning +Reviewed-by: Eirik Aavitsland +(cherry picked from commit c562c1fc19629fb505acd0f6380604840b634211) +Reviewed-by: Allan Sandfeld Jensen +--- + src/gui/image/qxbmhandler.cpp | 4 ++- + .../gui/image/qimagereader/tst_qimagereader.cpp | 37 ++++++++++++++++++++++ + 2 files changed, 40 insertions(+), 1 deletion(-) + +--- a/src/gui/image/qxbmhandler.cpp ++++ b/src/gui/image/qxbmhandler.cpp +@@ -154,7 +154,9 @@ static bool read_xbm_body(QIODevice *dev + w = (w+7)/8; // byte width + + while (y < h) { // for all encoded bytes... +- if (p) { // p = "0x.." ++ if (p && p < (buf + readBytes - 3)) { // p = "0x.." ++ if (!isxdigit(p[2]) || !isxdigit(p[3])) ++ return false; + *b++ = hex2byte(p+2); + p += 2; + if (++x == w && ++y < h) { +--- a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp ++++ b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp +@@ -164,6 +164,8 @@ private slots: + void preserveTexts_data(); + void preserveTexts(); + ++ void xbmBufferHandling(); ++ + private: + QString prefix; + QTemporaryDir m_temporaryDir; +@@ -1967,5 +1969,41 @@ void tst_QImageReader::preserveTexts() + } + + ++void tst_QImageReader::xbmBufferHandling() ++{ ++ uint8_t original_buffer[256]; ++ for (int i = 0; i < 256; ++i) ++ original_buffer[i] = i; ++ ++ QImage image(original_buffer, 256, 8, QImage::Format_MonoLSB); ++ image.setColorTable({0xff000000, 0xffffffff}); ++ ++ QByteArray buffer; ++ { ++ QBuffer buf(&buffer); ++ QImageWriter writer(&buf, "xbm"); ++ writer.write(image); ++ } ++ ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++ ++ auto i = buffer.indexOf(','); ++ buffer.insert(i + 1, " "); ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++ buffer.insert(i + 1, " "); ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++ buffer.insert(i + 1, " "); ++#if 0 // Lines longer than 300 chars not supported currently ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++#endif ++ ++ i = buffer.lastIndexOf("\n "); ++ buffer.truncate(i + 1); ++ buffer.append(QByteArray(297, ' ')); ++ buffer.append("0x"); ++ // Only check we get no buffer overflow ++ QImage::fromData(buffer, "xbm"); ++} ++ + QTEST_MAIN(tst_QImageReader) + #include "tst_qimagereader.moc" diff -Nru qtbase-opensource-src-5.9.5+dfsg/debian/patches/CVE-2021-38593-1.patch qtbase-opensource-src-5.9.5+dfsg/debian/patches/CVE-2021-38593-1.patch --- qtbase-opensource-src-5.9.5+dfsg/debian/patches/CVE-2021-38593-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ qtbase-opensource-src-5.9.5+dfsg/debian/patches/CVE-2021-38593-1.patch 2021-08-19 13:17:52.000000000 +0000 @@ -0,0 +1,128 @@ +Backport of: + +From 6869d2463a2e0d71bd04dbc82f5d6ef4933dc510 Mon Sep 17 00:00:00 2001 +From: Eirik Aavitsland +Date: Tue, 13 Apr 2021 14:23:45 +0200 +Subject: [PATCH] Avoid processing-intensive painting of high number of tiny + dashes + +When stroking a dashed path, an unnecessary amount of processing would +be spent if there is a huge number of dashes visible, e.g. because of +scaling. Since the dashes are too small to be indivdually visible +anyway, just replace with a semi-transparent solid line for such +cases. + +Change-Id: I9e9f7861257ad5bce46a0cf113d1a9d7824911e6 +Reviewed-by: Allan Sandfeld Jensen +(cherry picked from commit f4d791b330d02777fcaf02938732892eb3167e9b) +Reviewed-by: Qt Cherry-pick Bot +--- + src/gui/painting/qpaintengineex.cpp | 44 +++++++++++++++---- + .../other/lancelot/scripts/tinydashes.qps | 34 ++++++++++++++ + 2 files changed, 69 insertions(+), 9 deletions(-) + create mode 100644 tests/auto/other/lancelot/scripts/tinydashes.qps + +--- a/src/gui/painting/qpaintengineex.cpp ++++ b/src/gui/painting/qpaintengineex.cpp +@@ -385,7 +385,7 @@ QPainterState *QPaintEngineEx::createSta + + Q_GUI_EXPORT extern bool qt_scaleForTransform(const QTransform &transform, qreal *scale); // qtransform.cpp + +-void QPaintEngineEx::stroke(const QVectorPath &path, const QPen &pen) ++void QPaintEngineEx::stroke(const QVectorPath &path, const QPen &inPen) + { + #ifdef QT_DEBUG_DRAW + qDebug() << "QPaintEngineEx::stroke()" << pen; +@@ -403,6 +403,38 @@ void QPaintEngineEx::stroke(const QVecto + d->stroker.setCubicToHook(qpaintengineex_cubicTo); + } + ++ QRectF clipRect; ++ QPen pen = inPen; ++ if (pen.style() > Qt::SolidLine) { ++ QRectF cpRect = path.controlPointRect(); ++ const QTransform &xf = state()->matrix; ++ if (pen.isCosmetic()) { ++ clipRect = d->exDeviceRect; ++ cpRect.translate(xf.dx(), xf.dy()); ++ } else { ++ clipRect = xf.inverted().mapRect(QRectF(d->exDeviceRect)); ++ } ++ // Check to avoid generating unwieldy amount of dashes that will not be visible anyway ++ QRectF extentRect = cpRect & clipRect; ++ qreal extent = qMax(extentRect.width(), extentRect.height()); ++ qreal patternLength = 0; ++ const QVector pattern = pen.dashPattern(); ++ const int patternSize = qMin(pattern.size(), 32); ++ for (int i = 0; i < patternSize; i++) ++ patternLength += qMax(pattern.at(i), qreal(0)); ++ if (pen.widthF()) ++ patternLength *= pen.widthF(); ++ if (qFuzzyIsNull(patternLength)) { ++ pen.setStyle(Qt::NoPen); ++ } else if (extent / patternLength > 10000) { ++ // approximate stream of tiny dashes with semi-transparent solid line ++ pen.setStyle(Qt::SolidLine); ++ QColor color(pen.color()); ++ color.setAlpha(color.alpha() / 2); ++ pen.setColor(color); ++ } ++ } ++ + if (!qpen_fast_equals(pen, d->strokerPen)) { + d->strokerPen = pen; + d->stroker.setJoinStyle(pen.joinStyle()); +@@ -430,14 +462,8 @@ void QPaintEngineEx::stroke(const QVecto + return; + } + +- if (pen.style() > Qt::SolidLine) { +- if (qt_pen_is_cosmetic(pen, state()->renderHints)){ +- d->activeStroker->setClipRect(d->exDeviceRect); +- } else { +- QRectF clipRect = state()->matrix.inverted().mapRect(QRectF(d->exDeviceRect)); +- d->activeStroker->setClipRect(clipRect); +- } +- } ++ if (!clipRect.isNull()) ++ d->activeStroker->setClipRect(clipRect); + + const QPainterPath::ElementType *types = path.elements(); + const qreal *points = path.points(); +--- /dev/null ++++ b/tests/auto/other/lancelot/scripts/tinydashes.qps +@@ -0,0 +1,34 @@ ++# Version: 1 ++# CheckVsReference: 5% ++ ++path_addEllipse mypath 20.0 20.0 200.0 200.0 ++ ++save ++setPen blue 20 SolidLine FlatCap ++pen_setCosmetic true ++pen_setDashPattern [ 0.0004 0.0004 ] ++setBrush yellow ++ ++drawPath mypath ++translate 300 0 ++setRenderHint Antialiasing true ++drawPath mypath ++restore ++ ++path_addEllipse bigpath 200000.0 200000.0 2000000.0 2000000.0 ++ ++setPen blue 20 DotLine FlatCap ++setBrush yellow ++ ++save ++translate 0 300 ++scale 0.0001 0.00011 ++drawPath bigpath ++restore ++ ++save ++translate 300 300 ++setRenderHint Antialiasing true ++scale 0.0001 0.00011 ++drawPath bigpath ++restore diff -Nru qtbase-opensource-src-5.9.5+dfsg/debian/patches/CVE-2021-38593-2.patch qtbase-opensource-src-5.9.5+dfsg/debian/patches/CVE-2021-38593-2.patch --- qtbase-opensource-src-5.9.5+dfsg/debian/patches/CVE-2021-38593-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ qtbase-opensource-src-5.9.5+dfsg/debian/patches/CVE-2021-38593-2.patch 2021-08-19 13:17:42.000000000 +0000 @@ -0,0 +1,32 @@ +From 1ca02cf2879a5e1511a2f2109f0925cf4c892862 Mon Sep 17 00:00:00 2001 +From: Eirik Aavitsland +Date: Fri, 23 Jul 2021 15:53:56 +0200 +Subject: [PATCH] Improve fix for avoiding huge number of tiny dashes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Some pathological cases were not caught by the previous fix. + +Fixes: QTBUG-95239 +Change-Id: I0337ee3923ff93ccb36c4d7b810a9c0667354cc5 +Reviewed-by: Robert Löhning +(cherry picked from commit 6b400e3147dcfd8cc3a393ace1bd118c93762e0c) +Reviewed-by: Qt Cherry-pick Bot +--- + src/gui/painting/qpaintengineex.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/gui/painting/qpaintengineex.cpp b/src/gui/painting/qpaintengineex.cpp +index d752c01f6a7..2c034cdad78 100644 +--- a/src/gui/painting/qpaintengineex.cpp ++++ b/src/gui/painting/qpaintengineex.cpp +@@ -426,7 +426,7 @@ void QPaintEngineEx::stroke(const QVectorPath &path, const QPen &inPen) + patternLength *= pen.widthF(); + if (qFuzzyIsNull(patternLength)) { + pen.setStyle(Qt::NoPen); +- } else if (extent / patternLength > 10000) { ++ } else if (qFuzzyIsNull(extent) || extent / patternLength > 10000) { + // approximate stream of tiny dashes with semi-transparent solid line + pen.setStyle(Qt::SolidLine); + QColor color(pen.color()); diff -Nru qtbase-opensource-src-5.9.5+dfsg/debian/patches/series qtbase-opensource-src-5.9.5+dfsg/debian/patches/series --- qtbase-opensource-src-5.9.5+dfsg/debian/patches/series 2020-02-07 15:38:29.000000000 +0000 +++ qtbase-opensource-src-5.9.5+dfsg/debian/patches/series 2021-08-19 13:17:52.000000000 +0000 @@ -26,3 +26,6 @@ hidpi_scale_at_192.diff CVE-2018-19872.patch CVE-2020-0569.patch +CVE-2020-17507.patch +CVE-2021-38593-1.patch +CVE-2021-38593-2.patch