blob: 31b44601bdb830de5b90b1c7a2f68c902371de33 (
plain)
1 Not yet Submitted By: Ken Moffat <ken at linuxfromscratch dot org>
2 Date: 2021-06-19
3 Initial Package Version: 5.15.2
4 Upstream Status: Applied
5 Origin: Upstream, found at debian
6 Description: Fixes CVE-2021-3401 (out of bounds read) by clamoing
7 parsed doubles to float representable values. Upstream commits:
8 https://code.qt.io/cgit/qt/qtsvg.git/commit/?id=aceea78cc05ac8ff
9 https://code.qt.io/cgit/qt/qtsvg.git/commit/?id=bfd6ee0d8cf34b63
10
11 diff -Naur a/qtsvg/src/svg/qsvghandler.cpp b/qtsvg/src/svg/qsvghandler.cpp
12 --- a/qtsvg/src/svg/qsvghandler.cpp 2020-10-27 08:02:11.000000000 +0000
13 +++ b/qtsvg/src/svg/qsvghandler.cpp 2021-06-18 23:16:47.263564883 +0100
14 @@ -65,6 +65,7 @@
15 #include "private/qmath_p.h"
16
17 #include "float.h"
18 +#include <cmath>
19
20 QT_BEGIN_NAMESPACE
21
22 @@ -672,6 +673,9 @@
23 val = -val;
24 } else {
25 val = QByteArray::fromRawData(temp, pos).toDouble();
26 + // Do not tolerate values too wild to be represented normally by floats
27 + if (qFpClassify(float(val)) != FP_NORMAL)
28 + val = 0;
29 }
30 return val;
31
32 @@ -3043,6 +3047,8 @@
33 ncy = toDouble(cy);
34 if (!r.isEmpty())
35 nr = toDouble(r);
36 + if (nr < 0.5)
37 + nr = 0.5;
38
39 qreal nfx = ncx;
40 if (!fx.isEmpty())
|