2 files changed, 75 insertions, 0 deletions
diff --git a/recipes-qt/qt5/qtsvg/CVE-2021-3481.patch b/recipes-qt/qt5/qtsvg/CVE-2021-3481.patch
new file mode 100644
index 00000000..1b67914c
--- /dev/null
+++ b/recipes-qt/qt5/qtsvg/CVE-2021-3481.patch
@@ -0,0 +1,73 @@
+CVE: CVE-2021-3481
+Upstream-Status: Backport [https://codereview.qt-project.org/gitweb?p=qt%2Fqtsvg.git;a=commit;h=bfd6ee0]
+Backport and squash commits 85b70a721695991e8a5bbe4aa52e5320e170e90c and
+bfd6ee0d8cf34b63d32adf10ed93daa0086b359f to fix CVE-2021-3481.
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+From 6c40fd492eafabe67177c0e84839beec5be298b8 Mon Sep 17 00:00:00 2001
+From: Eirik Aavitsland <eirik.aavitsland@qt.io>
+Date: Tue, 1 Dec 2020 14:39:59 +0100
+Subject: [PATCH] Improve handling of malformed numeric values in svg files
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Catch cases where the input is not containable in a qreal, and avoid
+passing on inf values.
+Pick-to: 6.0 5.15 5.12
+Change-Id: I1ab8932d94473916815385240c29e03afb0e0c9e
+Reviewed-by: Robert Loehning <robert.loehning@qt.io>
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+Clamp parsed doubles to float representable values
+Parts of our rendering assumes incoming doubles can still be sane
+floats.
+Pick-to: 6.1 6.0 5.15 5.12
+Fixes: QTBUG-91507
+Change-Id: I7086a121e1b5ed47695a1251ea90e774dd8f148d
+Reviewed-by: Robert Löhning <robert.loehning@qt.io>
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
+---
+ src/svg/qsvghandler.cpp | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
+index c937254..9dac05c 100644
+--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
+@@ -65,6 +65,7 @@
+ #include "private/qmath_p.h"
+ 
+ #include "float.h"
+#include <cmath>
+ 
+ QT_BEGIN_NAMESPACE
+ 
+@@ -672,6 +673,9 @@ static qreal toDouble(const QChar *&str)
+             val = -val;
+     } else {
+         val = QByteArray::fromRawData(temp, pos).toDouble();
+        // Do not tolerate values too wild to be represented normally by floats
+        if (qFpClassify(float(val)) != FP_NORMAL)
+            val = 0;
+     }
+     return val;
+ 
+@@ -3043,6 +3047,8 @@ static QSvgStyleProperty *createRadialGradientNode(QSvgNode *node,
+         ncy = toDouble(cy);
+     if (!r.isEmpty())
+         nr = toDouble(r);
+    if (nr < 0.5)
+        nr = 0.5;
+ 
+     qreal nfx = ncx;
+     if (!fx.isEmpty())
+-- 
+2.29.2
diff --git a/recipes-qt/qt5/qtsvg_git.bb b/recipes-qt/qt5/qtsvg_git.bb
index 52d82653..1fe6d7c4 100644
--- a/recipes-qt/qt5/qtsvg_git.bb
+++ b/recipes-qt/qt5/qtsvg_git.bb
@@ -12,4 +12,6 @@ LIC_FILES_CHKSUM = " \
 DEPENDS += "qtbase"
+SRC_URI:append = " file://CVE-2021-3481.patch"
 SRCREV = "52d3788c7b0116ea3db232dccca5f1e3f1e229ac"

diff --git a/recipes-qt/qt5/qtsvg/CVE-2021-3481.patch b/recipes-qt/qt5/qtsvg/CVE-2021-3481.patch new file mode 100644 index 00000000..1b67914c --- /dev/null +++ b/recipes-qt/qt5/qtsvg/CVE-2021-3481.patch
@@ -0,0 +1,73 @@
		1	CVE: CVE-2021-3481
		2	Upstream-Status: Backport [https://codereview.qt-project.org/gitweb?p=qt%2Fqtsvg.git;a=commit;h=bfd6ee0]
		3
		4	Backport and squash commits 85b70a721695991e8a5bbe4aa52e5320e170e90c and
		5	bfd6ee0d8cf34b63d32adf10ed93daa0086b359f to fix CVE-2021-3481.
		6
		7	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		8
		9	From 6c40fd492eafabe67177c0e84839beec5be298b8 Mon Sep 17 00:00:00 2001
		10	From: Eirik Aavitsland <eirik.aavitsland@qt.io>
		11	Date: Tue, 1 Dec 2020 14:39:59 +0100
		12	Subject: [PATCH] Improve handling of malformed numeric values in svg files
		13	MIME-Version: 1.0
		14	Content-Type: text/plain; charset=UTF-8
		15	Content-Transfer-Encoding: 8bit
		16
		17	Catch cases where the input is not containable in a qreal, and avoid
		18	passing on inf values.
		19
		20	Pick-to: 6.0 5.15 5.12
		21	Change-Id: I1ab8932d94473916815385240c29e03afb0e0c9e
		22	Reviewed-by: Robert Loehning <robert.loehning@qt.io>
		23	Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
		24
		25	Clamp parsed doubles to float representable values
		26
		27	Parts of our rendering assumes incoming doubles can still be sane
		28	floats.
		29
		30	Pick-to: 6.1 6.0 5.15 5.12
		31	Fixes: QTBUG-91507
		32	Change-Id: I7086a121e1b5ed47695a1251ea90e774dd8f148d
		33	Reviewed-by: Robert Löhning <robert.loehning@qt.io>
		34	Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
		35	Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
		36	---
		37	src/svg/qsvghandler.cpp \| 6 ++++++
		38	1 file changed, 6 insertions(+)
		39
		40	diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
		41	index c937254..9dac05c 100644
		42	--- a/src/svg/qsvghandler.cpp
		43	+++ b/src/svg/qsvghandler.cpp
		44	@@ -65,6 +65,7 @@
		45	#include "private/qmath_p.h"
		46
		47	#include "float.h"
		48	+#include <cmath>
		49
		50	QT_BEGIN_NAMESPACE
		51
		52	@@ -672,6 +673,9 @@ static qreal toDouble(const QChar *&str)
		53	val = -val;
		54	} else {
		55	val = QByteArray::fromRawData(temp, pos).toDouble();
		56	+ // Do not tolerate values too wild to be represented normally by floats
		57	+ if (qFpClassify(float(val)) != FP_NORMAL)
		58	+ val = 0;
		59	}
		60	return val;
		61
		62	@@ -3043,6 +3047,8 @@ static QSvgStyleProperty createRadialGradientNode(QSvgNode node,
		63	ncy = toDouble(cy);
		64	if (!r.isEmpty())
		65	nr = toDouble(r);
		66	+ if (nr < 0.5)
		67	+ nr = 0.5;
		68
		69	qreal nfx = ncx;
		70	if (!fx.isEmpty())
		71	--
		72	2.29.2
		73


diff --git a/recipes-qt/qt5/qtsvg_git.bb b/recipes-qt/qt5/qtsvg_git.bb index 52d82653..1fe6d7c4 100644 --- a/recipes-qt/qt5/qtsvg_git.bb +++ b/recipes-qt/qt5/qtsvg_git.bb
@@ -12,4 +12,6 @@ LIC_FILES_CHKSUM = " \
12		12
13	DEPENDS += "qtbase"	13	DEPENDS += "qtbase"
14		14
		15	SRC_URI:append = " file://CVE-2021-3481.patch"
		16
15	SRCREV = "52d3788c7b0116ea3db232dccca5f1e3f1e229ac"	17	SRCREV = "52d3788c7b0116ea3db232dccca5f1e3f1e229ac"