1 |
commit: f0f2e0e6f77f988b30bcaeef18e2d4e28708f7b1 |
2 |
Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sat Jan 25 23:29:54 2020 +0000 |
4 |
Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Jan 25 23:56:18 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f0f2e0e6 |
7 |
|
8 |
dev-qt/qtcore: Fix CVE-2019-18281 |
9 |
|
10 |
Bug: https://bugs.gentoo.org/699226 |
11 |
Package-Manager: Portage-2.3.85, Repoman-2.3.20 |
12 |
Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org> |
13 |
|
14 |
.../files/qtcore-5.12.3-CVE-2019-18281.patch | 98 ++++++++++++++++++++++ |
15 |
dev-qt/qtcore/qtcore-5.12.3-r1.ebuild | 86 +++++++++++++++++++ |
16 |
2 files changed, 184 insertions(+) |
17 |
|
18 |
diff --git a/dev-qt/qtcore/files/qtcore-5.12.3-CVE-2019-18281.patch b/dev-qt/qtcore/files/qtcore-5.12.3-CVE-2019-18281.patch |
19 |
new file mode 100644 |
20 |
index 00000000000..055794b5196 |
21 |
--- /dev/null |
22 |
+++ b/dev-qt/qtcore/files/qtcore-5.12.3-CVE-2019-18281.patch |
23 |
@@ -0,0 +1,98 @@ |
24 |
+From 1232205e32464d90e871f39eb1e14fcf9b78a163 Mon Sep 17 00:00:00 2001 |
25 |
+From: Rainer Keller <Rainer.Keller@××.io> |
26 |
+Date: Tue, 27 Aug 2019 14:44:48 +0200 |
27 |
+Subject: [PATCH] Fix crash when text contains too many directional chars |
28 |
+ |
29 |
+In case a text to be layouted contains more than 128 directional characters |
30 |
+it causes the application to crash |
31 |
+ |
32 |
+The function initScriptAnalysisAndIsolatePairs() collects information of |
33 |
+RTL/LTR chaaracters into vector "isolatePairs". The size of the vector is |
34 |
+capped to 128. Later the function generateDirectionalRuns() iterates |
35 |
+the text again and tries to access items from the previously capped vector |
36 |
+above the upper bound. |
37 |
+ |
38 |
+Task-number: QTBUG-77819 |
39 |
+Change-Id: Ibb7bf12c12b1db22f43ff46236518da3fdeed26a |
40 |
+Reviewed-by: Simon Hausmann <simon.hausmann@××.io> |
41 |
+--- |
42 |
+ src/gui/text/qtextengine.cpp | 15 +++++++-------- |
43 |
+ tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp | 17 +++++++++++++++++ |
44 |
+ 2 files changed, 24 insertions(+), 8 deletions(-) |
45 |
+ |
46 |
+diff --git a/src/gui/text/qtextengine.cpp b/src/gui/text/qtextengine.cpp |
47 |
+index 2da13289bfd..a7834587b1e 100644 |
48 |
+--- a/src/gui/text/qtextengine.cpp |
49 |
++++ b/src/gui/text/qtextengine.cpp |
50 |
+@@ -399,6 +399,7 @@ struct QBidiAlgorithm { |
51 |
+ analysis[i].bidiDirection = (level & 1) ? QChar::DirR : QChar::DirL; |
52 |
+ runHasContent = true; |
53 |
+ lastRunWithContent = -1; |
54 |
++ ++isolatePairPosition; |
55 |
+ } |
56 |
+ int runBeforeIsolate = runs.size(); |
57 |
+ ushort newLevel = isRtl ? ((stack.top().level + 1) | 1) : ((stack.top().level + 2) & ~1); |
58 |
+@@ -440,21 +441,19 @@ struct QBidiAlgorithm { |
59 |
+ doEmbed(true, true, false); |
60 |
+ break; |
61 |
+ case QChar::DirLRI: |
62 |
+- Q_ASSERT(isolatePairs.at(isolatePairPosition).start == i); |
63 |
+ doEmbed(false, false, true); |
64 |
+- ++isolatePairPosition; |
65 |
+ break; |
66 |
+ case QChar::DirRLI: |
67 |
+- Q_ASSERT(isolatePairs.at(isolatePairPosition).start == i); |
68 |
+ doEmbed(true, false, true); |
69 |
+- ++isolatePairPosition; |
70 |
+ break; |
71 |
+ case QChar::DirFSI: { |
72 |
+- const auto &pair = isolatePairs.at(isolatePairPosition); |
73 |
+- Q_ASSERT(pair.start == i); |
74 |
+- bool isRtl = QStringView(text + pair.start + 1, pair.end - pair.start - 1).isRightToLeft(); |
75 |
++ bool isRtl = false; |
76 |
++ if (isolatePairPosition < isolatePairs.size()) { |
77 |
++ const auto &pair = isolatePairs.at(isolatePairPosition); |
78 |
++ Q_ASSERT(pair.start == i); |
79 |
++ isRtl = QStringView(text + pair.start + 1, pair.end - pair.start - 1).isRightToLeft(); |
80 |
++ } |
81 |
+ doEmbed(isRtl, false, true); |
82 |
+- ++isolatePairPosition; |
83 |
+ break; |
84 |
+ } |
85 |
+ |
86 |
+diff --git a/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp b/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp |
87 |
+index 9c477589f93..f0a32c2ed40 100644 |
88 |
+--- a/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp |
89 |
++++ b/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp |
90 |
+@@ -138,6 +138,7 @@ private slots: |
91 |
+ void noModificationOfInputString(); |
92 |
+ void superscriptCrash_qtbug53911(); |
93 |
+ void showLineAndParagraphSeparatorsCrash(); |
94 |
++ void tooManyDirectionalCharctersCrash_qtbug77819(); |
95 |
+ |
96 |
+ private: |
97 |
+ QFont testFont; |
98 |
+@@ -2309,5 +2310,21 @@ void tst_QTextLayout::nbspWithFormat() |
99 |
+ QCOMPARE(layout.lineAt(1).textLength(), s2.length() + 1 + s3.length()); |
100 |
+ } |
101 |
+ |
102 |
++void tst_QTextLayout::tooManyDirectionalCharctersCrash_qtbug77819() |
103 |
++{ |
104 |
++ QString data; |
105 |
++ data += QString::fromUtf8("\xe2\x81\xa8"); // U+2068 FSI character |
106 |
++ data += QString::fromUtf8("\xe2\x81\xa7"); // U+2067 RLI character |
107 |
++ |
108 |
++ // duplicating the text |
109 |
++ for (int i = 0; i < 10; i++) |
110 |
++ data += data; |
111 |
++ |
112 |
++ // Nothing to test. It must not crash in beginLayout(). |
113 |
++ QTextLayout tl(data); |
114 |
++ tl.beginLayout(); |
115 |
++ tl.endLayout(); |
116 |
++} |
117 |
++ |
118 |
+ QTEST_MAIN(tst_QTextLayout) |
119 |
+ #include "tst_qtextlayout.moc" |
120 |
+-- |
121 |
+2.16.3 |
122 |
|
123 |
diff --git a/dev-qt/qtcore/qtcore-5.12.3-r1.ebuild b/dev-qt/qtcore/qtcore-5.12.3-r1.ebuild |
124 |
new file mode 100644 |
125 |
index 00000000000..ff88ef5f4ec |
126 |
--- /dev/null |
127 |
+++ b/dev-qt/qtcore/qtcore-5.12.3-r1.ebuild |
128 |
@@ -0,0 +1,86 @@ |
129 |
+# Copyright 1999-2020 Gentoo Authors |
130 |
+# Distributed under the terms of the GNU General Public License v2 |
131 |
+ |
132 |
+EAPI=6 |
133 |
+QT5_MODULE="qtbase" |
134 |
+inherit qt5-build |
135 |
+ |
136 |
+DESCRIPTION="Cross-platform application development framework" |
137 |
+ |
138 |
+if [[ ${QT5_BUILD_TYPE} == release ]]; then |
139 |
+ KEYWORDS="~arm ~x86" |
140 |
+fi |
141 |
+ |
142 |
+IUSE="icu systemd" |
143 |
+ |
144 |
+DEPEND=" |
145 |
+ dev-libs/double-conversion:= |
146 |
+ dev-libs/glib:2 |
147 |
+ dev-libs/libpcre2[pcre16,unicode] |
148 |
+ sys-libs/zlib:= |
149 |
+ icu? ( dev-libs/icu:= ) |
150 |
+ !icu? ( virtual/libiconv ) |
151 |
+ systemd? ( sys-apps/systemd:= ) |
152 |
+" |
153 |
+RDEPEND="${DEPEND} |
154 |
+ !<dev-qt/qtcore-4.8.7-r4:4 |
155 |
+" |
156 |
+ |
157 |
+QT5_TARGET_SUBDIRS=( |
158 |
+ src/tools/bootstrap |
159 |
+ src/tools/moc |
160 |
+ src/tools/rcc |
161 |
+ src/tools/qfloat16-tables |
162 |
+ src/corelib |
163 |
+ src/tools/qlalr |
164 |
+ doc |
165 |
+) |
166 |
+ |
167 |
+QT5_GENTOO_PRIVATE_CONFIG=( |
168 |
+ !:network |
169 |
+ !:sql |
170 |
+ !:testlib |
171 |
+ !:xml |
172 |
+) |
173 |
+ |
174 |
+PATCHES=( "${FILESDIR}/${P}-CVE-2019-18281.patch" ) |
175 |
+ |
176 |
+src_prepare() { |
177 |
+ # don't add -O3 to CXXFLAGS, bug 549140 |
178 |
+ sed -i -e '/CONFIG\s*+=/s/optimize_full//' src/corelib/corelib.pro || die |
179 |
+ |
180 |
+ # fix missing qt_version_tag symbol w/ LTO, bug 674382 |
181 |
+ sed -i -e 's/^gcc:ltcg/gcc/' src/corelib/global/global.pri || die |
182 |
+ |
183 |
+ qt5-build_src_prepare |
184 |
+} |
185 |
+ |
186 |
+src_configure() { |
187 |
+ local myconf=( |
188 |
+ -no-feature-statx # bug 672856 |
189 |
+ $(qt_use icu) |
190 |
+ $(qt_use !icu iconv) |
191 |
+ $(qt_use systemd journald) |
192 |
+ ) |
193 |
+ qt5-build_src_configure |
194 |
+} |
195 |
+ |
196 |
+src_install() { |
197 |
+ qt5-build_src_install |
198 |
+ |
199 |
+ local flags=( |
200 |
+ DBUS FREETYPE IMAGEFORMAT_JPEG IMAGEFORMAT_PNG |
201 |
+ OPENGL OPENSSL SSL WIDGETS |
202 |
+ ) |
203 |
+ |
204 |
+ for flag in ${flags[@]}; do |
205 |
+ cat >> "${D%/}"/${QT5_HEADERDIR}/QtCore/qconfig.h <<- _EOF_ || die |
206 |
+ |
207 |
+ #if defined(QT_NO_${flag}) && defined(QT_${flag}) |
208 |
+ # undef QT_NO_${flag} |
209 |
+ #elif !defined(QT_NO_${flag}) && !defined(QT_${flag}) |
210 |
+ # define QT_NO_${flag} |
211 |
+ #endif |
212 |
+ _EOF_ |
213 |
+ done |
214 |
+} |