diff --git a/ports/qtbase/CVE-2023-43114-6.5.patch b/ports/qtbase/CVE-2023-43114-6.5.patch new file mode 100644 index 00000000000000..12b1c5005ccfb4 --- /dev/null +++ b/ports/qtbase/CVE-2023-43114-6.5.patch @@ -0,0 +1,119 @@ +diff --git a/src/gui/text/windows/qwindowsfontdatabase.cpp b/src/gui/text/windows/qwindowsfontdatabase.cpp +index 44cc7fe63e..e44d85a3cb 100644 +--- a/src/gui/text/windows/qwindowsfontdatabase.cpp ++++ b/src/gui/text/windows/qwindowsfontdatabase.cpp +@@ -873,36 +873,70 @@ QT_WARNING_POP + return fontEngine; + } + +-static QList getTrueTypeFontOffsets(const uchar *fontData) ++static QList getTrueTypeFontOffsets(const uchar *fontData, const uchar *fileEndSentinel) + { + QList offsets; +- const quint32 headerTag = *reinterpret_cast(fontData); ++ if (fileEndSentinel - fontData < 12) { ++ qCWarning(lcQpaFonts) << "Corrupted font data detected"; ++ return offsets; ++ } ++ ++ const quint32 headerTag = qFromUnaligned(fontData); + if (headerTag != MAKE_TAG('t', 't', 'c', 'f')) { + if (headerTag != MAKE_TAG(0, 1, 0, 0) + && headerTag != MAKE_TAG('O', 'T', 'T', 'O') + && headerTag != MAKE_TAG('t', 'r', 'u', 'e') +- && headerTag != MAKE_TAG('t', 'y', 'p', '1')) ++ && headerTag != MAKE_TAG('t', 'y', 'p', '1')) { + return offsets; ++ } + offsets << 0; + return offsets; + } ++ ++ const quint32 maximumNumFonts = 0xffff; + const quint32 numFonts = qFromBigEndian(fontData + 8); +- for (uint i = 0; i < numFonts; ++i) { +- offsets << qFromBigEndian(fontData + 12 + i * 4); ++ if (numFonts > maximumNumFonts) { ++ qCWarning(lcQpaFonts) << "Font collection of" << numFonts << "fonts is too large. Aborting."; ++ return offsets; ++ } ++ ++ if (quintptr(fileEndSentinel - fontData) > 12 + (numFonts - 1) * 4) { ++ for (quint32 i = 0; i < numFonts; ++i) ++ offsets << qFromBigEndian(fontData + 12 + i * 4); ++ } else { ++ qCWarning(lcQpaFonts) << "Corrupted font data detected"; + } ++ + return offsets; + } + +-static void getFontTable(const uchar *fileBegin, const uchar *data, quint32 tag, const uchar **table, quint32 *length) ++static void getFontTable(const uchar *fileBegin, const uchar *fileEndSentinel, const uchar *data, quint32 tag, const uchar **table, quint32 *length) + { +- const quint16 numTables = qFromBigEndian(data + 4); +- for (uint i = 0; i < numTables; ++i) { +- const quint32 offset = 12 + 16 * i; +- if (*reinterpret_cast(data + offset) == tag) { +- *table = fileBegin + qFromBigEndian(data + offset + 8); +- *length = qFromBigEndian(data + offset + 12); +- return; ++ if (fileEndSentinel - data >= 6) { ++ const quint16 numTables = qFromBigEndian(data + 4); ++ if (fileEndSentinel - data >= 28 + 16 * (numTables - 1)) { ++ for (quint32 i = 0; i < numTables; ++i) { ++ const quint32 offset = 12 + 16 * i; ++ if (qFromUnaligned(data + offset) == tag) { ++ const quint32 tableOffset = qFromBigEndian(data + offset + 8); ++ if (quintptr(fileEndSentinel - fileBegin) <= tableOffset) { ++ qCWarning(lcQpaFonts) << "Corrupted font data detected"; ++ break; ++ } ++ *table = fileBegin + tableOffset; ++ *length = qFromBigEndian(data + offset + 12); ++ if (quintptr(fileEndSentinel - *table) < *length) { ++ qCWarning(lcQpaFonts) << "Corrupted font data detected"; ++ break; ++ } ++ return; ++ } ++ } ++ } else { ++ qCWarning(lcQpaFonts) << "Corrupted font data detected"; + } ++ } else { ++ qCWarning(lcQpaFonts) << "Corrupted font data detected"; + } + *table = 0; + *length = 0; +@@ -915,8 +949,9 @@ static void getFamiliesAndSignatures(const QByteArray &fontData, + QList *values) + { + const uchar *data = reinterpret_cast(fontData.constData()); ++ const uchar *dataEndSentinel = data + fontData.size(); + +- QList offsets = getTrueTypeFontOffsets(data); ++ QList offsets = getTrueTypeFontOffsets(data, dataEndSentinel); + if (offsets.isEmpty()) + return; + +@@ -924,7 +959,7 @@ static void getFamiliesAndSignatures(const QByteArray &fontData, + const uchar *font = data + offsets.at(i); + const uchar *table; + quint32 length; +- getFontTable(data, font, MAKE_TAG('n', 'a', 'm', 'e'), &table, &length); ++ getFontTable(data, dataEndSentinel, font, MAKE_TAG('n', 'a', 'm', 'e'), &table, &length); + if (!table) + continue; + QFontNames names = qt_getCanonicalFontNames(table, length); +@@ -934,7 +969,7 @@ static void getFamiliesAndSignatures(const QByteArray &fontData, + families->append(std::move(names)); + + if (values || signatures) +- getFontTable(data, font, MAKE_TAG('O', 'S', '/', '2'), &table, &length); ++ getFontTable(data, dataEndSentinel, font, MAKE_TAG('O', 'S', '/', '2'), &table, &length); + + if (values) { + QFontValues fontValues; +-- +2.27.0.windows.1 diff --git a/ports/qtbase/portfile.cmake b/ports/qtbase/portfile.cmake index ccd4731ce3789a..9a96976ce01f88 100644 --- a/ports/qtbase/portfile.cmake +++ b/ports/qtbase/portfile.cmake @@ -19,6 +19,7 @@ set(${PORT}_PATCHES GLIB2-static.patch # alternative is to force pkg-config clang-cl_source_location.patch clang-cl_QGADGET_fix.diff + CVE-2023-43114-6.5.patch ) if(VCPKG_TARGET_IS_WINDOWS AND NOT VCPKG_TARGET_IS_MINGW) diff --git a/ports/qtbase/vcpkg.json b/ports/qtbase/vcpkg.json index 164f900871341c..64ec5f1d892011 100644 --- a/ports/qtbase/vcpkg.json +++ b/ports/qtbase/vcpkg.json @@ -1,6 +1,7 @@ { "name": "qtbase", "version": "6.5.3", + "port-version": 1, "description": "Qt Application Framework Base Module. Includes Core, GUI, Widgets, Networking, SQL, Concurrent and other essential qt components.", "homepage": "https://www.qt.io/", "license": null, diff --git a/versions/baseline.json b/versions/baseline.json index 32770f17a0692d..8ab54490f669fb 100644 --- a/versions/baseline.json +++ b/versions/baseline.json @@ -6978,7 +6978,7 @@ }, "qtbase": { "baseline": "6.5.3", - "port-version": 0 + "port-version": 1 }, "qtcharts": { "baseline": "6.5.3", diff --git a/versions/q-/qtbase.json b/versions/q-/qtbase.json index e51759879a7c53..342be9a090205b 100644 --- a/versions/q-/qtbase.json +++ b/versions/q-/qtbase.json @@ -1,5 +1,10 @@ { "versions": [ + { + "git-tree": "348dbf9cdcda0559adb72c98c249e06f8a2e50e8", + "version": "6.5.3", + "port-version": 1 + }, { "git-tree": "8ff10ec91d1eda17f49dd867924e6e034a0abd5c", "version": "6.5.3",