diff options
Diffstat (limited to 'dev-qt')
| -rw-r--r-- | dev-qt/qtdeclarative/files/qtdeclarative-5.15.18-CVE-2025-12385.patch | 91 | ||||
| -rw-r--r-- | dev-qt/qtdeclarative/files/qtdeclarative-6.10.1-QTBUG-142331.patch | 66 | ||||
| -rw-r--r-- | dev-qt/qtdeclarative/qtdeclarative-5.15.18-r1.ebuild | 69 | ||||
| -rw-r--r-- | dev-qt/qtdeclarative/qtdeclarative-6.10.1-r1.ebuild (renamed from dev-qt/qtdeclarative/qtdeclarative-6.10.1.ebuild) | 4 |
4 files changed, 230 insertions, 0 deletions
diff --git a/dev-qt/qtdeclarative/files/qtdeclarative-5.15.18-CVE-2025-12385.patch b/dev-qt/qtdeclarative/files/qtdeclarative-5.15.18-CVE-2025-12385.patch new file mode 100644 index 000000000000..5d9393b72cd5 --- /dev/null +++ b/dev-qt/qtdeclarative/files/qtdeclarative-5.15.18-CVE-2025-12385.patch @@ -0,0 +1,91 @@ +From f78bc0b2c6884fd730bf34a931870d67936cf01d Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid <aacid@kde.org> +Date: Sun, 7 Dec 2025 11:44:35 +0100 +Subject: [PATCH] Increase robustness of <img> tag in Text component + +For Text.StyledText, there was no protection against <img> tags +with very large widths or heights. This could cause an application +to spend a very long time processing a layout and sometimes crash +if the size was too large. + +We reuse the internal coord limit in QPainter as our maximum size +here, similar to what we do in Qt Svg for instance. + +For Text.RichText, there were no issues in release builds, but in +debug builds, you could trigger an overflow assert when rounding +the number if it exceeded INT_MAX. For this, we simply cap the +width and height at INT_MAX. + +Fixes: QTBUG-141515 +Pick-to: 5.15 +Change-Id: I4bcba16158f5f495a0de38963316effc4c46aae1 +Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io> +(cherry picked from commit 4aaf9bf21f7cc69d73066785e254b664fcc82025) +Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> +(cherry picked from commit 907c7ceb7b27586039262567273efd5ec79e6202) +(cherry picked from commit c4b74f27058b302a101befc2c1967f8c00b41be7) + +This is actually a manual patch based on +https://download.qt.io/official_releases/qt/6.5/CVE-2025-12385-qtdeclarative-6.5-0002.diff +--- + src/quick/items/qquicktextdocument.cpp | 4 ++-- + src/quick/util/qquickstyledtext.cpp | 19 +++++++++++++++++-- + 2 files changed, 19 insertions(+), 4 deletions(-) + +diff --git a/src/quick/items/qquicktextdocument.cpp b/src/quick/items/qquicktextdocument.cpp +index 021bbca0f6..67ed63d0de 100644 +--- a/src/quick/items/qquicktextdocument.cpp ++++ b/src/quick/items/qquicktextdocument.cpp +@@ -138,9 +138,9 @@ QSizeF QQuickTextDocumentWithImageResources::intrinsicSize( + if (format.isImageFormat()) { + QTextImageFormat imageFormat = format.toImageFormat(); + +- const int width = qRound(imageFormat.width()); ++ int width = qRound(qBound(qreal(INT_MIN), imageFormat.width(), qreal(INT_MAX))); + const bool hasWidth = imageFormat.hasProperty(QTextFormat::ImageWidth) && width > 0; +- const int height = qRound(imageFormat.height()); ++ const int height = qRound(qBound(qreal(INT_MIN), imageFormat.height(), qreal(INT_MAX))); + const bool hasHeight = imageFormat.hasProperty(QTextFormat::ImageHeight) && height > 0; + + QSizeF size(width, height); +diff --git a/src/quick/util/qquickstyledtext.cpp b/src/quick/util/qquickstyledtext.cpp +index a25af90414..120a2593d3 100644 +--- a/src/quick/util/qquickstyledtext.cpp ++++ b/src/quick/util/qquickstyledtext.cpp +@@ -45,6 +45,11 @@ + #include <qmath.h> + #include "qquickstyledtext_p.h" + #include <QQmlContext> ++#include <QtGui/private/qoutlinemapper_p.h> ++ ++#ifndef QQUICKSTYLEDPARSER_COORD_LIMIT ++# define QQUICKSTYLEDPARSER_COORD_LIMIT QT_RASTER_COORD_LIMIT ++#endif + + Q_LOGGING_CATEGORY(lcStyledText, "qt.quick.styledtext") + +@@ -694,9 +699,19 @@ void QQuickStyledTextPrivate::parseImageAttributes(const QChar *&ch, const QStri + if (attr.first == QLatin1String("src")) { + image->url = QUrl(attr.second.toString()); + } else if (attr.first == QLatin1String("width")) { +- image->size.setWidth(attr.second.toString().toInt()); ++ bool ok; ++ int v = attr.second.toString().toInt(&ok); ++ if (ok && v <= QQUICKSTYLEDPARSER_COORD_LIMIT) ++ image->size.setWidth(v); ++ else ++ qCWarning(lcStyledText) << "Invalid width provided for <img>"; + } else if (attr.first == QLatin1String("height")) { +- image->size.setHeight(attr.second.toString().toInt()); ++ bool ok; ++ int v = attr.second.toString().toInt(&ok); ++ if (ok && v <= QQUICKSTYLEDPARSER_COORD_LIMIT) ++ image->size.setHeight(v); ++ else ++ qCWarning(lcStyledText) << "Invalid height provided for <img>"; + } else if (attr.first == QLatin1String("align")) { + if (attr.second.toString() == QLatin1String("top")) { + image->align = QQuickStyledTextImgTag::Top; +-- +2.52.0 + diff --git a/dev-qt/qtdeclarative/files/qtdeclarative-6.10.1-QTBUG-142331.patch b/dev-qt/qtdeclarative/files/qtdeclarative-6.10.1-QTBUG-142331.patch new file mode 100644 index 000000000000..7109559a29a2 --- /dev/null +++ b/dev-qt/qtdeclarative/files/qtdeclarative-6.10.1-QTBUG-142331.patch @@ -0,0 +1,66 @@ +https://qt-project.atlassian.net/browse/QTBUG-142331 +https://mail.kde.org/pipermail/distributions/2025-December/001648.html +https://bugs.kde.org/show_bug.cgi?id=512754 +https://codereview.qt-project.org/c/qt/qtdeclarative/+/696524 +--- a/src/qml/jsruntime/qv4lookup_p.h ++++ b/src/qml/jsruntime/qv4lookup_p.h +@@ -160,4 +160,8 @@ + } qobjectMethodLookup; + struct { ++ // NB: None of this is actually cache-able. The metaobject may change at any time. ++ // We invalidate this data every time the lookup is invoked and thereby force a ++ // re-initialization next time. ++ + quintptr isConstant; // This is a bool, encoded as 0 or 1. Both values are ignored by gc + quintptr metaObject; // a (const QMetaObject* & 1) or nullptr +--- a/src/qml/qml/qqml.cpp ++++ b/src/qml/qml/qqml.cpp +@@ -1378,14 +1378,14 @@ + static FallbackPropertyQmlData findFallbackPropertyQmlData(QV4::Lookup *lookup, QObject *object) + { ++ // We've just initialized the lookup. So everything must be fine here. ++ + QQmlData *qmlData = QQmlData::get(object); +- if (qmlData && qmlData->isQueuedForDeletion) +- return {qmlData, nullptr, PropertyResult::Deleted}; + ++ Q_ASSERT(!qmlData || !qmlData->isQueuedForDeletion); + Q_ASSERT(!QQmlData::wasDeleted(object)); + + const QMetaObject *metaObject + = reinterpret_cast<const QMetaObject *>(lookup->qobjectFallbackLookup.metaObject - 1); +- if (!metaObject || metaObject != object->metaObject()) +- return {qmlData, nullptr, PropertyResult::NeedsInit}; ++ Q_ASSERT(metaObject == object->metaObject()); + + return {qmlData, metaObject, PropertyResult::OK}; +@@ -2577,4 +2577,5 @@ + case QV4::Lookup::Call::ContextGetterScopeObjectPropertyFallback: + result = loadFallbackProperty(lookup, qmlScopeObject, target, this); ++ lookup->call = QV4::Lookup::Call::ContextGetterGeneric; + break; + default: +@@ -2608,4 +2609,5 @@ + case QV4::Lookup::Call::ContextGetterScopeObjectPropertyFallback: + result = writeBackFallbackProperty(lookup, qmlScopeObject, source); ++ lookup->call = QV4::Lookup::Call::ContextGetterGeneric; + break; + default: +@@ -2808,4 +2810,5 @@ + ? loadFallbackAsVariant(lookup, object, target, this) + : loadFallbackProperty(lookup, object, target, this); ++ lookup->call = QV4::Lookup::Call::GetterGeneric; + break; + default: +@@ -2842,4 +2845,5 @@ + ? writeBackFallbackAsVariant(lookup, object, source) + : writeBackFallbackProperty(lookup, object, source); ++ lookup->call = QV4::Lookup::Call::GetterGeneric; + break; + default: +@@ -3002,4 +3006,5 @@ + ? storeFallbackAsVariant(engine->handle(), lookup, object, value) + : storeFallbackProperty(lookup, object, value); ++ lookup->call = QV4::Lookup::Call::SetterGeneric; + break; + default: diff --git a/dev-qt/qtdeclarative/qtdeclarative-5.15.18-r1.ebuild b/dev-qt/qtdeclarative/qtdeclarative-5.15.18-r1.ebuild new file mode 100644 index 000000000000..1afbcceb68d7 --- /dev/null +++ b/dev-qt/qtdeclarative/qtdeclarative-5.15.18-r1.ebuild @@ -0,0 +1,69 @@ +# Copyright 2009-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +if [[ ${PV} != *9999* ]]; then + QT5_KDEPATCHSET_REV=1 + KEYWORDS="~amd64 arm arm64 ~hppa ~loong ppc ~ppc64 ~riscv ~x86" +fi + +PYTHON_COMPAT=( python3_{11..14} ) +inherit flag-o-matic python-any-r1 qt5-build + +DESCRIPTION="The QML and Quick modules for the Qt5 framework" + +IUSE="cpu_flags_x86_sse2 gles2-only +jit localstorage vulkan +widgets" +REQUIRED_USE="jit? ( x86? ( cpu_flags_x86_sse2 ) )" + +# qtgui[gles2-only=] is needed because of bug 504322 +DEPEND=" + =dev-qt/qtcore-${QT5_PV}* + =dev-qt/qtgui-${QT5_PV}*:5=[gles2-only=,vulkan=] + =dev-qt/qtnetwork-${QT5_PV}* + =dev-qt/qttest-${QT5_PV}* + media-libs/libglvnd + localstorage? ( =dev-qt/qtsql-${QT5_PV}* ) + widgets? ( =dev-qt/qtwidgets-${QT5_PV}*[gles2-only=] ) +" +RDEPEND="${DEPEND}" +BDEPEND="${PYTHON_DEPS}" + +PATCHES=( + "${FILESDIR}/${PN}-5.14.2-QQuickItemView-fix-maxXY-extent.patch" # QTBUG-83890 + "${FILESDIR}/${P}-CVE-2025-12385.patch" # bug 966269, QTBUG-141515 +) + +src_prepare() { + qt_use_disable_mod localstorage sql \ + src/imports/imports.pro + + qt_use_disable_mod widgets widgets \ + src/src.pro \ + src/qmltest/qmltest.pro \ + tests/auto/auto.pro \ + tools/tools.pro \ + tools/qmlscene/qmlscene.pro \ + tools/qml/qml.pro + + qt5-build_src_prepare +} + +src_configure() { + replace-flags "-Os" "-O2" # bug 840861 + + local myqmakeargs=( + -- + -qml-debug + $(qt_use jit feature-qml-jit) + ) + qt5-build_src_configure +} + +src_install() { + qt5-build_src_install + qt5_symlink_binary_to_path qml 5 + qt5_symlink_binary_to_path qmleasing 5 + qt5_symlink_binary_to_path qmlpreview 5 + qt5_symlink_binary_to_path qmlscene 5 +} diff --git a/dev-qt/qtdeclarative/qtdeclarative-6.10.1.ebuild b/dev-qt/qtdeclarative/qtdeclarative-6.10.1-r1.ebuild index eb34cbcde726..43c9a1f694de 100644 --- a/dev-qt/qtdeclarative/qtdeclarative-6.10.1.ebuild +++ b/dev-qt/qtdeclarative/qtdeclarative-6.10.1-r1.ebuild @@ -32,6 +32,10 @@ BDEPEND=" ~dev-qt/qtshadertools-${PV}:6 " +PATCHES=( + "${FILESDIR}"/${PN}-6.10.1-QTBUG-142331.patch +) + src_configure() { local mycmakeargs=( $(cmake_use_find_package qmlls Qt6LanguageServerPrivate) |