dbp/linamh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
22dcfb823b76b0a995f460deccdc773def122047
linamh/dev-qt/qtdeclarative/files/qtdeclarative-5.15.18-CVE-2025-12385.patch
Mario Fetka 05f2bfed14 Bump
2026-04-14 20:15:00 +02:00

92 lines
4.2 KiB
Diff
Raw Blame History

From f78bc0b2c6884fd730bf34a931870d67936cf01d Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Sun, 7 Dec 2025 11:44:35 +0100
Subject: [PATCH] Increase robustness of <img> tag in Text component
For Text.StyledText, there was no protection against <img> tags
with very large widths or heights. This could cause an application
to spend a very long time processing a layout and sometimes crash
if the size was too large.
We reuse the internal coord limit in QPainter as our maximum size
here, similar to what we do in Qt Svg for instance.
For Text.RichText, there were no issues in release builds, but in
debug builds, you could trigger an overflow assert when rounding
the number if it exceeded INT_MAX. For this, we simply cap the
width and height at INT_MAX.
Fixes: QTBUG-141515
Pick-to: 5.15
Change-Id: I4bcba16158f5f495a0de38963316effc4c46aae1
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
(cherry picked from commit 4aaf9bf21f7cc69d73066785e254b664fcc82025)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
(cherry picked from commit 907c7ceb7b27586039262567273efd5ec79e6202)
(cherry picked from commit c4b74f27058b302a101befc2c1967f8c00b41be7)
This is actually a manual patch based on
https://download.qt.io/official_releases/qt/6.5/CVE-2025-12385-qtdeclarative-6.5-0002.diff
---
src/quick/items/qquicktextdocument.cpp | 4 ++--
src/quick/util/qquickstyledtext.cpp | 19 +++++++++++++++++--
2 files changed, 19 insertions(+), 4 deletions(-)
diff --git a/src/quick/items/qquicktextdocument.cpp b/src/quick/items/qquicktextdocument.cpp
index 021bbca0f6..67ed63d0de 100644
--- a/src/quick/items/qquicktextdocument.cpp
+++ b/src/quick/items/qquicktextdocument.cpp
@@ -138,9 +138,9 @@ QSizeF QQuickTextDocumentWithImageResources::intrinsicSize(
if (format.isImageFormat()) {
QTextImageFormat imageFormat = format.toImageFormat();
- const int width = qRound(imageFormat.width());
+ int width = qRound(qBound(qreal(INT_MIN), imageFormat.width(), qreal(INT_MAX)));
const bool hasWidth = imageFormat.hasProperty(QTextFormat::ImageWidth) && width > 0;
- const int height = qRound(imageFormat.height());
+ const int height = qRound(qBound(qreal(INT_MIN), imageFormat.height(), qreal(INT_MAX)));
const bool hasHeight = imageFormat.hasProperty(QTextFormat::ImageHeight) && height > 0;
QSizeF size(width, height);
diff --git a/src/quick/util/qquickstyledtext.cpp b/src/quick/util/qquickstyledtext.cpp
index a25af90414..120a2593d3 100644
--- a/src/quick/util/qquickstyledtext.cpp
+++ b/src/quick/util/qquickstyledtext.cpp
@@ -45,6 +45,11 @@
#include <qmath.h>
#include "qquickstyledtext_p.h"
#include <QQmlContext>
+#include <QtGui/private/qoutlinemapper_p.h>
+
+#ifndef QQUICKSTYLEDPARSER_COORD_LIMIT
+# define QQUICKSTYLEDPARSER_COORD_LIMIT QT_RASTER_COORD_LIMIT
+#endif
Q_LOGGING_CATEGORY(lcStyledText, "qt.quick.styledtext")
@@ -694,9 +699,19 @@ void QQuickStyledTextPrivate::parseImageAttributes(const QChar *&ch, const QStri
if (attr.first == QLatin1String("src")) {
image->url = QUrl(attr.second.toString());
} else if (attr.first == QLatin1String("width")) {
- image->size.setWidth(attr.second.toString().toInt());
+ bool ok;
+ int v = attr.second.toString().toInt(&ok);
+ if (ok && v <= QQUICKSTYLEDPARSER_COORD_LIMIT)
+ image->size.setWidth(v);
+ else
+ qCWarning(lcStyledText) << "Invalid width provided for <img>";
} else if (attr.first == QLatin1String("height")) {
- image->size.setHeight(attr.second.toString().toInt());
+ bool ok;
+ int v = attr.second.toString().toInt(&ok);
+ if (ok && v <= QQUICKSTYLEDPARSER_COORD_LIMIT)
+ image->size.setHeight(v);
+ else
+ qCWarning(lcStyledText) << "Invalid height provided for <img>";
} else if (attr.first == QLatin1String("align")) {
if (attr.second.toString() == QLatin1String("top")) {
image->align = QQuickStyledTextImgTag::Top;
--
2.52.0
Reference in New Issue View Git Blame Copy Permalink