41 lines
1.2 KiB
Diff
41 lines
1.2 KiB
Diff
Not yet Submitted By: Ken Moffat <ken at linuxfromscratch dot org>
|
|
Date: 2021-06-19
|
|
Initial Package Version: 5.15.2
|
|
Upstream Status: Applied
|
|
Origin: Upstream, found at debian
|
|
Description: Fixes CVE-2021-3401 (out of bounds read) by clamoing
|
|
parsed doubles to float representable values. Upstream commits:
|
|
https://code.qt.io/cgit/qt/qtsvg.git/commit/?id=aceea78cc05ac8ff
|
|
https://code.qt.io/cgit/qt/qtsvg.git/commit/?id=bfd6ee0d8cf34b63
|
|
|
|
diff -Naur a/qtsvg/src/svg/qsvghandler.cpp b/qtsvg/src/svg/qsvghandler.cpp
|
|
--- a/qtsvg/src/svg/qsvghandler.cpp 2020-10-27 08:02:11.000000000 +0000
|
|
+++ b/qtsvg/src/svg/qsvghandler.cpp 2021-06-18 23:16:47.263564883 +0100
|
|
@@ -65,6 +65,7 @@
|
|
#include "private/qmath_p.h"
|
|
|
|
#include "float.h"
|
|
+#include <cmath>
|
|
|
|
QT_BEGIN_NAMESPACE
|
|
|
|
@@ -672,6 +673,9 @@
|
|
val = -val;
|
|
} else {
|
|
val = QByteArray::fromRawData(temp, pos).toDouble();
|
|
+ // Do not tolerate values too wild to be represented normally by floats
|
|
+ if (qFpClassify(float(val)) != FP_NORMAL)
|
|
+ val = 0;
|
|
}
|
|
return val;
|
|
|
|
@@ -3043,6 +3047,8 @@
|
|
ncy = toDouble(cy);
|
|
if (!r.isEmpty())
|
|
nr = toDouble(r);
|
|
+ if (nr < 0.5)
|
|
+ nr = 0.5;
|
|
|
|
qreal nfx = ncx;
|
|
if (!fx.isEmpty())
|