File CVE-2023-32763.patch of Package libqt4

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2023-32763.patch of Package libqt4

---
 src/corelib/global/qnumeric_p.h |   24 ++++++++++++++++++++++++
 src/gui/painting/qfixed_p.h     |    9 +++++++++
 src/gui/text/qtextlayout.cpp    |    9 ++++++---
 3 files changed, 39 insertions(+), 3 deletions(-)

--- a/src/gui/painting/qfixed_p.h
+++ b/src/gui/painting/qfixed_p.h
@@ -55,6 +55,7 @@
 
 #include "QtCore/qdebug.h"
 #include "QtCore/qpoint.h"
+#include <QtCore/private/qnumeric_p.h>
 #include "QtCore/qsize.h"
 
 QT_BEGIN_NAMESPACE
@@ -181,6 +182,14 @@
 inline bool operator>(const QFixed &f, int i) { return f.value() > (i<<6); }
 inline bool operator>(int i, const QFixed &f) { return (i<<6) > f.value(); }
 
+inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
+{
+    int val;
+    bool result = add_overflow(v1.value(), v2.value(), &val);
+    r->setValue(val);
+    return result;
+}
+
 #ifndef QT_NO_DEBUG_STREAM
 inline QDebug &operator<<(QDebug &dbg, const QFixed &f)
 { return dbg << f.toReal(); }
--- a/src/gui/text/qtextlayout.cpp
+++ b/src/gui/text/qtextlayout.cpp
@@ -1933,11 +1933,14 @@
         eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
     } else {
         eng->minWidth = qMax(eng->minWidth, lbh.minw);
-        eng->maxWidth += line.textWidth;
+        if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth))
+            eng->maxWidth = QFIXED_MAX;
     }
 
-    if (line.textWidth > 0 && item < eng->layoutData->items.size())
-        eng->maxWidth += lbh.spaceData.textWidth;
+    if (line.textWidth > 0 && item < eng->layoutData->items.size()) {
+        if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, &eng->maxWidth))
+            eng->maxWidth = QFIXED_MAX;
+    }
     if (eng->option.flags() & QTextOption::IncludeTrailingSpaces)
         line.textWidth += lbh.spaceData.textWidth;
     if (lbh.spaceData.length) {
--- a/src/corelib/global/qnumeric_p.h
+++ b/src/corelib/global/qnumeric_p.h
@@ -238,6 +238,30 @@
     }
 }
 
+/*
+ * The section that follows, i.e., the add_overflow() implementation, was taken
+ * from ./src/corelib/global/qnumeric_p.h in an older (i.e., pre-c++11) version
+ * (as of commit 5ff7a3d96e0ce0dcb3d388b53d038cdd40c7a975) of the upstream code:
+ * https://code.qt.io/cgit/qt/qtbase.git/tree/src/corelib/global/qnumeric_p.h?id=5ff7a3d96e0ce0dcb3d388b53d038cdd40c7a975
+ *
+ * These functions are needed to support part of the patch for CVE-2023-32763.
+ * The older versions are needed because enabling c++11 in this older version is
+ * not possible, as it breaks other parts of the build. Additionally, while the
+ * code from which this originates includes add_overflow implementations for
+ * both unsigned and signed operations, the specific implementation that is
+ * required for this patch is for signed addition, so that is the only method
+ * which has been backported.
+ */
+#include <limits>
+// Signed overflow math
+
+inline bool add_overflow(int v1, int v2, int *r)
+{
+    qint64 t = qint64(v1) + v2;
+    *r = static_cast<int>(t);
+    return t > std::numeric_limits<int>::max() || t < std::numeric_limits<int>::min();
+}
+
 QT_END_NAMESPACE
 
 #endif // QNUMERIC_P_H

Places

File CVE-2023-32763.patch of Package libqt4

Places