summaryrefslogtreecommitdiff
path: root/dev-qt/qtdeclarative/files/qtdeclarative-5.15.18-CVE-2025-12385.patch
diff options
context:
space:
mode:
Diffstat (limited to 'dev-qt/qtdeclarative/files/qtdeclarative-5.15.18-CVE-2025-12385.patch')
-rw-r--r--dev-qt/qtdeclarative/files/qtdeclarative-5.15.18-CVE-2025-12385.patch91
1 files changed, 91 insertions, 0 deletions
diff --git a/dev-qt/qtdeclarative/files/qtdeclarative-5.15.18-CVE-2025-12385.patch b/dev-qt/qtdeclarative/files/qtdeclarative-5.15.18-CVE-2025-12385.patch
new file mode 100644
index 000000000000..5d9393b72cd5
--- /dev/null
+++ b/dev-qt/qtdeclarative/files/qtdeclarative-5.15.18-CVE-2025-12385.patch
@@ -0,0 +1,91 @@
+From f78bc0b2c6884fd730bf34a931870d67936cf01d Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Sun, 7 Dec 2025 11:44:35 +0100
+Subject: [PATCH] Increase robustness of <img> tag in Text component
+
+For Text.StyledText, there was no protection against <img> tags
+with very large widths or heights. This could cause an application
+to spend a very long time processing a layout and sometimes crash
+if the size was too large.
+
+We reuse the internal coord limit in QPainter as our maximum size
+here, similar to what we do in Qt Svg for instance.
+
+For Text.RichText, there were no issues in release builds, but in
+debug builds, you could trigger an overflow assert when rounding
+the number if it exceeded INT_MAX. For this, we simply cap the
+width and height at INT_MAX.
+
+Fixes: QTBUG-141515
+Pick-to: 5.15
+Change-Id: I4bcba16158f5f495a0de38963316effc4c46aae1
+Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
+(cherry picked from commit 4aaf9bf21f7cc69d73066785e254b664fcc82025)
+Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
+(cherry picked from commit 907c7ceb7b27586039262567273efd5ec79e6202)
+(cherry picked from commit c4b74f27058b302a101befc2c1967f8c00b41be7)
+
+This is actually a manual patch based on
+https://download.qt.io/official_releases/qt/6.5/CVE-2025-12385-qtdeclarative-6.5-0002.diff
+---
+ src/quick/items/qquicktextdocument.cpp | 4 ++--
+ src/quick/util/qquickstyledtext.cpp | 19 +++++++++++++++++--
+ 2 files changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/src/quick/items/qquicktextdocument.cpp b/src/quick/items/qquicktextdocument.cpp
+index 021bbca0f6..67ed63d0de 100644
+--- a/src/quick/items/qquicktextdocument.cpp
++++ b/src/quick/items/qquicktextdocument.cpp
+@@ -138,9 +138,9 @@ QSizeF QQuickTextDocumentWithImageResources::intrinsicSize(
+ if (format.isImageFormat()) {
+ QTextImageFormat imageFormat = format.toImageFormat();
+
+- const int width = qRound(imageFormat.width());
++ int width = qRound(qBound(qreal(INT_MIN), imageFormat.width(), qreal(INT_MAX)));
+ const bool hasWidth = imageFormat.hasProperty(QTextFormat::ImageWidth) && width > 0;
+- const int height = qRound(imageFormat.height());
++ const int height = qRound(qBound(qreal(INT_MIN), imageFormat.height(), qreal(INT_MAX)));
+ const bool hasHeight = imageFormat.hasProperty(QTextFormat::ImageHeight) && height > 0;
+
+ QSizeF size(width, height);
+diff --git a/src/quick/util/qquickstyledtext.cpp b/src/quick/util/qquickstyledtext.cpp
+index a25af90414..120a2593d3 100644
+--- a/src/quick/util/qquickstyledtext.cpp
++++ b/src/quick/util/qquickstyledtext.cpp
+@@ -45,6 +45,11 @@
+ #include <qmath.h>
+ #include "qquickstyledtext_p.h"
+ #include <QQmlContext>
++#include <QtGui/private/qoutlinemapper_p.h>
++
++#ifndef QQUICKSTYLEDPARSER_COORD_LIMIT
++# define QQUICKSTYLEDPARSER_COORD_LIMIT QT_RASTER_COORD_LIMIT
++#endif
+
+ Q_LOGGING_CATEGORY(lcStyledText, "qt.quick.styledtext")
+
+@@ -694,9 +699,19 @@ void QQuickStyledTextPrivate::parseImageAttributes(const QChar *&ch, const QStri
+ if (attr.first == QLatin1String("src")) {
+ image->url = QUrl(attr.second.toString());
+ } else if (attr.first == QLatin1String("width")) {
+- image->size.setWidth(attr.second.toString().toInt());
++ bool ok;
++ int v = attr.second.toString().toInt(&ok);
++ if (ok && v <= QQUICKSTYLEDPARSER_COORD_LIMIT)
++ image->size.setWidth(v);
++ else
++ qCWarning(lcStyledText) << "Invalid width provided for <img>";
+ } else if (attr.first == QLatin1String("height")) {
+- image->size.setHeight(attr.second.toString().toInt());
++ bool ok;
++ int v = attr.second.toString().toInt(&ok);
++ if (ok && v <= QQUICKSTYLEDPARSER_COORD_LIMIT)
++ image->size.setHeight(v);
++ else
++ qCWarning(lcStyledText) << "Invalid height provided for <img>";
+ } else if (attr.first == QLatin1String("align")) {
+ if (attr.second.toString() == QLatin1String("top")) {
+ image->align = QQuickStyledTextImgTag::Top;
+--
+2.52.0
+
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-12 04:44:28 +0000