File CVE-2023-32763.patch of Package libqt4.40303
---
src/corelib/global/qnumeric_p.h | 24 ++++++++++++++++++++++++
src/gui/painting/qfixed_p.h | 9 +++++++++
src/gui/text/qtextlayout.cpp | 9 ++++++---
3 files changed, 39 insertions(+), 3 deletions(-)
--- a/src/gui/painting/qfixed_p.h
+++ b/src/gui/painting/qfixed_p.h
@@ -55,6 +55,7 @@
#include "QtCore/qdebug.h"
#include "QtCore/qpoint.h"
+#include <QtCore/private/qnumeric_p.h>
#include "QtCore/qsize.h"
QT_BEGIN_NAMESPACE
@@ -181,6 +182,14 @@
inline bool operator>(const QFixed &f, int i) { return f.value() > (i<<6); }
inline bool operator>(int i, const QFixed &f) { return (i<<6) > f.value(); }
+inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
+{
+ int val;
+ bool result = add_overflow(v1.value(), v2.value(), &val);
+ r->setValue(val);
+ return result;
+}
+
#ifndef QT_NO_DEBUG_STREAM
inline QDebug &operator<<(QDebug &dbg, const QFixed &f)
{ return dbg << f.toReal(); }
--- a/src/gui/text/qtextlayout.cpp
+++ b/src/gui/text/qtextlayout.cpp
@@ -1933,11 +1933,14 @@
eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
} else {
eng->minWidth = qMax(eng->minWidth, lbh.minw);
- eng->maxWidth += line.textWidth;
+ if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth))
+ eng->maxWidth = QFIXED_MAX;
}
- if (line.textWidth > 0 && item < eng->layoutData->items.size())
- eng->maxWidth += lbh.spaceData.textWidth;
+ if (line.textWidth > 0 && item < eng->layoutData->items.size()) {
+ if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, &eng->maxWidth))
+ eng->maxWidth = QFIXED_MAX;
+ }
if (eng->option.flags() & QTextOption::IncludeTrailingSpaces)
line.textWidth += lbh.spaceData.textWidth;
if (lbh.spaceData.length) {
--- a/src/corelib/global/qnumeric_p.h
+++ b/src/corelib/global/qnumeric_p.h
@@ -238,6 +238,30 @@
}
}
+/*
+ * The section that follows, i.e., the add_overflow() implementation, was taken
+ * from ./src/corelib/global/qnumeric_p.h in an older (i.e., pre-c++11) version
+ * (as of commit 5ff7a3d96e0ce0dcb3d388b53d038cdd40c7a975) of the upstream code:
+ * https://code.qt.io/cgit/qt/qtbase.git/tree/src/corelib/global/qnumeric_p.h?id=5ff7a3d96e0ce0dcb3d388b53d038cdd40c7a975
+ *
+ * These functions are needed to support part of the patch for CVE-2023-32763.
+ * The older versions are needed because enabling c++11 in this older version is
+ * not possible, as it breaks other parts of the build. Additionally, while the
+ * code from which this originates includes add_overflow implementations for
+ * both unsigned and signed operations, the specific implementation that is
+ * required for this patch is for signed addition, so that is the only method
+ * which has been backported.
+ */
+#include <limits>
+// Signed overflow math
+
+inline bool add_overflow(int v1, int v2, int *r)
+{
+ qint64 t = qint64(v1) + v2;
+ *r = static_cast<int>(t);
+ return t > std::numeric_limits<int>::max() || t < std::numeric_limits<int>::min();
+}
+
QT_END_NAMESPACE
#endif // QNUMERIC_P_H
