mirror of
https://github.com/microsoft/vcpkg.git
synced 2024-12-27 18:31:15 +08:00
[qt5-base] Patch CVE-2023-24607 CVE-2023-37369 and CVE-2023-38197 (#32599)
This commit is contained in:
Carsten Grimm
GitHub
parent
24bcc37364
commit
489a01db7c
332
ports/qt5-base/patches/CVE-2023-24607-qtbase-5.15.diff
Normal file
332
ports/qt5-base/patches/CVE-2023-24607-qtbase-5.15.diff
Normal file
@ -0,0 +1,332 @@
|
||||
--- a/src/plugins/sqldrivers/odbc/qsql_odbc.cpp
|
||||
+++ b/src/plugins/sqldrivers/odbc/qsql_odbc.cpp
|
||||
@@ -92,23 +92,39 @@ inline static QString fromSQLTCHAR(const QVarLengthArray<SQLTCHAR>& input, int s
|
||||
return result;
|
||||
}
|
||||
|
||||
+template <size_t SizeOfChar = sizeof(SQLTCHAR)>
|
||||
+void toSQLTCHARImpl(QVarLengthArray<SQLTCHAR> &result, const QString &input); // primary template undefined
|
||||
+
|
||||
+template <typename Container>
|
||||
+void do_append(QVarLengthArray<SQLTCHAR> &result, const Container &c)
|
||||
+{
|
||||
+ result.append(reinterpret_cast<const SQLTCHAR *>(c.data()), c.size());
|
||||
+}
|
||||
+
|
||||
+template <>
|
||||
+void toSQLTCHARImpl<1>(QVarLengthArray<SQLTCHAR> &result, const QString &input)
|
||||
+{
|
||||
+ const auto u8 = input.toUtf8();
|
||||
+ do_append(result, u8);
|
||||
+}
|
||||
+
|
||||
+template <>
|
||||
+void toSQLTCHARImpl<2>(QVarLengthArray<SQLTCHAR> &result, const QString &input)
|
||||
+{
|
||||
+ do_append(result, input);
|
||||
+}
|
||||
+
|
||||
+template <>
|
||||
+void toSQLTCHARImpl<4>(QVarLengthArray<SQLTCHAR> &result, const QString &input)
|
||||
+{
|
||||
+ const auto u32 = input.toUcs4();
|
||||
+ do_append(result, u32);
|
||||
+}
|
||||
+
|
||||
inline static QVarLengthArray<SQLTCHAR> toSQLTCHAR(const QString &input)
|
||||
{
|
||||
QVarLengthArray<SQLTCHAR> result;
|
||||
- result.resize(input.size());
|
||||
- switch(sizeof(SQLTCHAR)) {
|
||||
- case 1:
|
||||
- memcpy(result.data(), input.toUtf8().data(), input.size());
|
||||
- break;
|
||||
- case 2:
|
||||
- memcpy(result.data(), input.unicode(), input.size() * 2);
|
||||
- break;
|
||||
- case 4:
|
||||
- memcpy(result.data(), input.toUcs4().data(), input.size() * 4);
|
||||
- break;
|
||||
- default:
|
||||
- qCritical("sizeof(SQLTCHAR) is %d. Don't know how to handle this.", int(sizeof(SQLTCHAR)));
|
||||
- }
|
||||
+ toSQLTCHARImpl(result, input);
|
||||
result.append(0); // make sure it's null terminated, doesn't matter if it already is, it does if it isn't.
|
||||
return result;
|
||||
}
|
||||
|
||||
--- a/src/plugins/sqldrivers/odbc/qsql_odbc.cpp
|
||||
+++ b/src/plugins/sqldrivers/odbc/qsql_odbc.cpp
|
||||
@@ -1732,10 +1732,11 @@ bool QODBCResult::exec()
|
||||
case QVariant::String:
|
||||
if (d->unicode) {
|
||||
if (bindValueType(i) & QSql::Out) {
|
||||
- const QByteArray &first = tmpStorage.at(i);
|
||||
- QVarLengthArray<SQLTCHAR> array;
|
||||
- array.append((const SQLTCHAR *)first.constData(), first.size());
|
||||
- values[i] = fromSQLTCHAR(array, first.size()/sizeof(SQLTCHAR));
|
||||
+ const QByteArray &bytes = tmpStorage.at(i);
|
||||
+ const auto strSize = bytes.size() / int(sizeof(SQLTCHAR));
|
||||
+ QVarLengthArray<SQLTCHAR> string(strSize);
|
||||
+ memcpy(string.data(), bytes.data(), strSize * sizeof(SQLTCHAR));
|
||||
+ values[i] = fromSQLTCHAR(string);
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
||||
--- a/src/plugins/sqldrivers/odbc/qsql_odbc.cpp
|
||||
+++ b/src/plugins/sqldrivers/odbc/qsql_odbc.cpp
|
||||
@@ -779,6 +779,14 @@ QChar QODBCDriverPrivate::quoteChar()
|
||||
return quote;
|
||||
}
|
||||
|
||||
+static SQLRETURN qt_string_SQLSetConnectAttr(SQLHDBC handle, SQLINTEGER attr, const QString &val)
|
||||
+{
|
||||
+ auto encoded = toSQLTCHAR(val);
|
||||
+ return SQLSetConnectAttr(handle, attr,
|
||||
+ encoded.data(),
|
||||
+ SQLINTEGER(encoded.size() * sizeof(SQLTCHAR))); // size in bytes
|
||||
+}
|
||||
+
|
||||
|
||||
bool QODBCDriverPrivate::setConnectionOptions(const QString& connOpts)
|
||||
{
|
||||
@@ -814,10 +822,7 @@ bool QODBCDriverPrivate::setConnectionOptions(const QString& connOpts)
|
||||
v = val.toUInt();
|
||||
r = SQLSetConnectAttr(hDbc, SQL_ATTR_LOGIN_TIMEOUT, (SQLPOINTER) size_t(v), 0);
|
||||
} else if (opt.toUpper() == QLatin1String("SQL_ATTR_CURRENT_CATALOG")) {
|
||||
- val.utf16(); // 0 terminate
|
||||
- r = SQLSetConnectAttr(hDbc, SQL_ATTR_CURRENT_CATALOG,
|
||||
- toSQLTCHAR(val).data(),
|
||||
- val.length()*sizeof(SQLTCHAR));
|
||||
+ r = qt_string_SQLSetConnectAttr(hDbc, SQL_ATTR_CURRENT_CATALOG, val);
|
||||
} else if (opt.toUpper() == QLatin1String("SQL_ATTR_METADATA_ID")) {
|
||||
if (val.toUpper() == QLatin1String("SQL_TRUE")) {
|
||||
v = SQL_TRUE;
|
||||
@@ -832,10 +837,7 @@ bool QODBCDriverPrivate::setConnectionOptions(const QString& connOpts)
|
||||
v = val.toUInt();
|
||||
r = SQLSetConnectAttr(hDbc, SQL_ATTR_PACKET_SIZE, (SQLPOINTER) size_t(v), 0);
|
||||
} else if (opt.toUpper() == QLatin1String("SQL_ATTR_TRACEFILE")) {
|
||||
- val.utf16(); // 0 terminate
|
||||
- r = SQLSetConnectAttr(hDbc, SQL_ATTR_TRACEFILE,
|
||||
- toSQLTCHAR(val).data(),
|
||||
- val.length()*sizeof(SQLTCHAR));
|
||||
+ r = qt_string_SQLSetConnectAttr(hDbc, SQL_ATTR_TRACEFILE, val);
|
||||
} else if (opt.toUpper() == QLatin1String("SQL_ATTR_TRACE")) {
|
||||
if (val.toUpper() == QLatin1String("SQL_OPT_TRACE_OFF")) {
|
||||
v = SQL_OPT_TRACE_OFF;
|
||||
@@ -1038,9 +1040,12 @@ bool QODBCResult::reset (const QString& query)
|
||||
return false;
|
||||
}
|
||||
|
||||
- r = SQLExecDirect(d->hStmt,
|
||||
- toSQLTCHAR(query).data(),
|
||||
- (SQLINTEGER) query.length());
|
||||
+ {
|
||||
+ auto encoded = toSQLTCHAR(query);
|
||||
+ r = SQLExecDirect(d->hStmt,
|
||||
+ encoded.data(),
|
||||
+ SQLINTEGER(encoded.size()));
|
||||
+ }
|
||||
if (r != SQL_SUCCESS && r != SQL_SUCCESS_WITH_INFO && r!= SQL_NO_DATA) {
|
||||
setLastError(qMakeError(QCoreApplication::translate("QODBCResult",
|
||||
"Unable to execute statement"), QSqlError::StatementError, d));
|
||||
@@ -1387,9 +1392,12 @@ bool QODBCResult::prepare(const QString& query)
|
||||
return false;
|
||||
}
|
||||
|
||||
- r = SQLPrepare(d->hStmt,
|
||||
- toSQLTCHAR(query).data(),
|
||||
- (SQLINTEGER) query.length());
|
||||
+ {
|
||||
+ auto encoded = toSQLTCHAR(query);
|
||||
+ r = SQLPrepare(d->hStmt,
|
||||
+ encoded.data(),
|
||||
+ SQLINTEGER(encoded.size()));
|
||||
+ }
|
||||
|
||||
if (r != SQL_SUCCESS) {
|
||||
setLastError(qMakeError(QCoreApplication::translate("QODBCResult",
|
||||
@@ -1417,7 +1425,7 @@ bool QODBCResult::exec()
|
||||
SQLCloseCursor(d->hStmt);
|
||||
|
||||
QVector<QVariant>& values = boundValues();
|
||||
- QVector<QByteArray> tmpStorage(values.count(), QByteArray()); // holds temporary buffers
|
||||
+ QVector<QByteArray> tmpStorage(values.count(), QByteArray()); // targets for SQLBindParameter()
|
||||
QVarLengthArray<SQLLEN, 32> indicators(values.count());
|
||||
memset(indicators.data(), 0, indicators.size() * sizeof(SQLLEN));
|
||||
|
||||
@@ -1596,35 +1604,36 @@ bool QODBCResult::exec()
|
||||
case QVariant::String:
|
||||
if (d->unicode) {
|
||||
QByteArray &ba = tmpStorage[i];
|
||||
- QString str = val.toString();
|
||||
+ {
|
||||
+ const auto encoded = toSQLTCHAR(val.toString());
|
||||
+ ba = QByteArray(reinterpret_cast<const char *>(encoded.data()),
|
||||
+ encoded.size() * sizeof(SQLTCHAR));
|
||||
+ }
|
||||
+
|
||||
if (*ind != SQL_NULL_DATA)
|
||||
- *ind = str.length() * sizeof(SQLTCHAR);
|
||||
- int strSize = str.length() * sizeof(SQLTCHAR);
|
||||
+ *ind = ba.size();
|
||||
|
||||
if (bindValueType(i) & QSql::Out) {
|
||||
- const QVarLengthArray<SQLTCHAR> a(toSQLTCHAR(str));
|
||||
- ba = QByteArray((const char *)a.constData(), a.size() * sizeof(SQLTCHAR));
|
||||
r = SQLBindParameter(d->hStmt,
|
||||
i + 1,
|
||||
qParamType[bindValueType(i) & QSql::InOut],
|
||||
SQL_C_TCHAR,
|
||||
- strSize > 254 ? SQL_WLONGVARCHAR : SQL_WVARCHAR,
|
||||
+ ba.size() > 254 ? SQL_WLONGVARCHAR : SQL_WVARCHAR,
|
||||
0, // god knows... don't change this!
|
||||
0,
|
||||
- ba.data(),
|
||||
+ const_cast<char *>(ba.constData()), // don't detach
|
||||
ba.size(),
|
||||
ind);
|
||||
break;
|
||||
}
|
||||
- ba = QByteArray ((const char *)toSQLTCHAR(str).constData(), str.size()*sizeof(SQLTCHAR));
|
||||
r = SQLBindParameter(d->hStmt,
|
||||
i + 1,
|
||||
qParamType[bindValueType(i) & QSql::InOut],
|
||||
SQL_C_TCHAR,
|
||||
- strSize > 254 ? SQL_WLONGVARCHAR : SQL_WVARCHAR,
|
||||
- strSize,
|
||||
+ ba.size() > 254 ? SQL_WLONGVARCHAR : SQL_WVARCHAR,
|
||||
+ ba.size(),
|
||||
0,
|
||||
- const_cast<char *>(ba.constData()),
|
||||
+ const_cast<char *>(ba.constData()), // don't detach
|
||||
ba.size(),
|
||||
ind);
|
||||
break;
|
||||
@@ -1982,14 +1991,16 @@ bool QODBCDriver::open(const QString & db,
|
||||
SQLSMALLINT cb;
|
||||
QVarLengthArray<SQLTCHAR> connOut(1024);
|
||||
memset(connOut.data(), 0, connOut.size() * sizeof(SQLTCHAR));
|
||||
- r = SQLDriverConnect(d->hDbc,
|
||||
- NULL,
|
||||
- toSQLTCHAR(connQStr).data(),
|
||||
- (SQLSMALLINT)connQStr.length(),
|
||||
- connOut.data(),
|
||||
- 1024,
|
||||
- &cb,
|
||||
- /*SQL_DRIVER_NOPROMPT*/0);
|
||||
+ {
|
||||
+ auto encoded = toSQLTCHAR(connQStr);
|
||||
+ r = SQLDriverConnect(d->hDbc,
|
||||
+ nullptr,
|
||||
+ encoded.data(), SQLSMALLINT(encoded.size()),
|
||||
+ connOut.data(),
|
||||
+ 1024,
|
||||
+ &cb,
|
||||
+ /*SQL_DRIVER_NOPROMPT*/0);
|
||||
+ }
|
||||
|
||||
if (r != SQL_SUCCESS && r != SQL_SUCCESS_WITH_INFO) {
|
||||
setLastError(qMakeError(tr("Unable to connect"), QSqlError::ConnectionError, d));
|
||||
@@ -2368,17 +2379,15 @@ QStringList QODBCDriver::tables(QSql::TableType type) const
|
||||
if (tableType.isEmpty())
|
||||
return tl;
|
||||
|
||||
- QString joinedTableTypeString = tableType.join(QLatin1Char(','));
|
||||
+ {
|
||||
+ auto joinedTableTypeString = toSQLTCHAR(tableType.join(u','));
|
||||
|
||||
- r = SQLTables(hStmt,
|
||||
- NULL,
|
||||
- 0,
|
||||
- NULL,
|
||||
- 0,
|
||||
- NULL,
|
||||
- 0,
|
||||
- toSQLTCHAR(joinedTableTypeString).data(),
|
||||
- joinedTableTypeString.length() /* characters, not bytes */);
|
||||
+ r = SQLTables(hStmt,
|
||||
+ nullptr, 0,
|
||||
+ nullptr, 0,
|
||||
+ nullptr, 0,
|
||||
+ joinedTableTypeString.data(), joinedTableTypeString.size());
|
||||
+ }
|
||||
|
||||
if (r != SQL_SUCCESS)
|
||||
qSqlWarning(QLatin1String("QODBCDriver::tables Unable to execute table list"), d);
|
||||
@@ -2452,28 +2461,30 @@ QSqlIndex QODBCDriver::primaryIndex(const QString& tablename) const
|
||||
SQL_ATTR_CURSOR_TYPE,
|
||||
(SQLPOINTER)SQL_CURSOR_FORWARD_ONLY,
|
||||
SQL_IS_UINTEGER);
|
||||
- r = SQLPrimaryKeys(hStmt,
|
||||
- catalog.length() == 0 ? NULL : toSQLTCHAR(catalog).data(),
|
||||
- catalog.length(),
|
||||
- schema.length() == 0 ? NULL : toSQLTCHAR(schema).data(),
|
||||
- schema.length(),
|
||||
- toSQLTCHAR(table).data(),
|
||||
- table.length() /* in characters, not in bytes */);
|
||||
+ {
|
||||
+ auto c = toSQLTCHAR(catalog);
|
||||
+ auto s = toSQLTCHAR(schema);
|
||||
+ auto t = toSQLTCHAR(table);
|
||||
+ r = SQLPrimaryKeys(hStmt,
|
||||
+ catalog.isEmpty() ? nullptr : c.data(), c.size(),
|
||||
+ schema.isEmpty() ? nullptr : s.data(), s.size(),
|
||||
+ t.data(), t.size());
|
||||
+ }
|
||||
|
||||
// if the SQLPrimaryKeys() call does not succeed (e.g the driver
|
||||
// does not support it) - try an alternative method to get hold of
|
||||
// the primary index (e.g MS Access and FoxPro)
|
||||
if (r != SQL_SUCCESS) {
|
||||
- r = SQLSpecialColumns(hStmt,
|
||||
- SQL_BEST_ROWID,
|
||||
- catalog.length() == 0 ? NULL : toSQLTCHAR(catalog).data(),
|
||||
- catalog.length(),
|
||||
- schema.length() == 0 ? NULL : toSQLTCHAR(schema).data(),
|
||||
- schema.length(),
|
||||
- toSQLTCHAR(table).data(),
|
||||
- table.length(),
|
||||
- SQL_SCOPE_CURROW,
|
||||
- SQL_NULLABLE);
|
||||
+ auto c = toSQLTCHAR(catalog);
|
||||
+ auto s = toSQLTCHAR(schema);
|
||||
+ auto t = toSQLTCHAR(table);
|
||||
+ r = SQLSpecialColumns(hStmt,
|
||||
+ SQL_BEST_ROWID,
|
||||
+ catalog.isEmpty() ? nullptr : c.data(), c.size(),
|
||||
+ schema.isEmpty() ? nullptr : s.data(), s.size(),
|
||||
+ t.data(), t.size(),
|
||||
+ SQL_SCOPE_CURROW,
|
||||
+ SQL_NULLABLE);
|
||||
|
||||
if (r != SQL_SUCCESS) {
|
||||
qSqlWarning(QLatin1String("QODBCDriver::primaryIndex: Unable to execute primary key list"), d);
|
||||
@@ -2554,15 +2565,17 @@ QSqlRecord QODBCDriver::record(const QString& tablename) const
|
||||
SQL_ATTR_CURSOR_TYPE,
|
||||
(SQLPOINTER)SQL_CURSOR_FORWARD_ONLY,
|
||||
SQL_IS_UINTEGER);
|
||||
- r = SQLColumns(hStmt,
|
||||
- catalog.length() == 0 ? NULL : toSQLTCHAR(catalog).data(),
|
||||
- catalog.length(),
|
||||
- schema.length() == 0 ? NULL : toSQLTCHAR(schema).data(),
|
||||
- schema.length(),
|
||||
- toSQLTCHAR(table).data(),
|
||||
- table.length(),
|
||||
- NULL,
|
||||
- 0);
|
||||
+ {
|
||||
+ auto c = toSQLTCHAR(catalog);
|
||||
+ auto s = toSQLTCHAR(schema);
|
||||
+ auto t = toSQLTCHAR(table);
|
||||
+ r = SQLColumns(hStmt,
|
||||
+ catalog.isEmpty() ? nullptr : c.data(), c.size(),
|
||||
+ schema.isEmpty() ? nullptr : s.data(), s.size(),
|
||||
+ t.data(), t.size(),
|
||||
+ nullptr,
|
||||
+ 0);
|
||||
+ }
|
||||
if (r != SQL_SUCCESS)
|
||||
qSqlWarning(QLatin1String("QODBCDriver::record: Unable to execute column list"), d);
|
||||
|
||||
203
ports/qt5-base/patches/CVE-2023-37369-qtbase-5.15.diff
Normal file
203
ports/qt5-base/patches/CVE-2023-37369-qtbase-5.15.diff
Normal file
@ -0,0 +1,203 @@
|
||||
diff --git a/src/corelib/serialization/qxmlstream.cpp b/src/corelib/serialization/qxmlstream.cpp
|
||||
index 7cd457ba3a..11d162cb79 100644
|
||||
--- a/src/corelib/serialization/qxmlstream.cpp
|
||||
+++ b/src/corelib/serialization/qxmlstream.cpp
|
||||
@@ -1302,15 +1302,18 @@ inline int QXmlStreamReaderPrivate::fastScanContentCharList()
|
||||
return n;
|
||||
}
|
||||
|
||||
-inline int QXmlStreamReaderPrivate::fastScanName(int *prefix)
|
||||
+// Fast scan an XML attribute name (e.g. "xml:lang").
|
||||
+inline QXmlStreamReaderPrivate::FastScanNameResult
|
||||
+QXmlStreamReaderPrivate::fastScanName(Value *val)
|
||||
{
|
||||
int n = 0;
|
||||
uint c;
|
||||
while ((c = getChar()) != StreamEOF) {
|
||||
if (n >= 4096) {
|
||||
// This is too long to be a sensible name, and
|
||||
- // can exhaust memory
|
||||
- return 0;
|
||||
+ // can exhaust memory, or the range of decltype(*prefix)
|
||||
+ raiseNamePrefixTooLongError();
|
||||
+ return {};
|
||||
}
|
||||
switch (c) {
|
||||
case '\n':
|
||||
@@ -1339,23 +1342,23 @@ inline int QXmlStreamReaderPrivate::fastScanName(int *prefix)
|
||||
case '+':
|
||||
case '*':
|
||||
putChar(c);
|
||||
- if (prefix && *prefix == n+1) {
|
||||
- *prefix = 0;
|
||||
+ if (val && val->prefix == n + 1) {
|
||||
+ val->prefix = 0;
|
||||
putChar(':');
|
||||
--n;
|
||||
}
|
||||
- return n;
|
||||
+ return FastScanNameResult(n);
|
||||
case ':':
|
||||
- if (prefix) {
|
||||
- if (*prefix == 0) {
|
||||
- *prefix = n+2;
|
||||
+ if (val) {
|
||||
+ if (val->prefix == 0) {
|
||||
+ val->prefix = n + 2;
|
||||
} else { // only one colon allowed according to the namespace spec.
|
||||
putChar(c);
|
||||
- return n;
|
||||
+ return FastScanNameResult(n);
|
||||
}
|
||||
} else {
|
||||
putChar(c);
|
||||
- return n;
|
||||
+ return FastScanNameResult(n);
|
||||
}
|
||||
Q_FALLTHROUGH();
|
||||
default:
|
||||
@@ -1364,12 +1367,12 @@ inline int QXmlStreamReaderPrivate::fastScanName(int *prefix)
|
||||
}
|
||||
}
|
||||
|
||||
- if (prefix)
|
||||
- *prefix = 0;
|
||||
+ if (val)
|
||||
+ val->prefix = 0;
|
||||
int pos = textBuffer.size() - n;
|
||||
putString(textBuffer, pos);
|
||||
textBuffer.resize(pos);
|
||||
- return 0;
|
||||
+ return FastScanNameResult(0);
|
||||
}
|
||||
|
||||
enum NameChar { NameBeginning, NameNotBeginning, NotName };
|
||||
@@ -1878,6 +1881,14 @@ void QXmlStreamReaderPrivate::raiseWellFormedError(const QString &message)
|
||||
raiseError(QXmlStreamReader::NotWellFormedError, message);
|
||||
}
|
||||
|
||||
+void QXmlStreamReaderPrivate::raiseNamePrefixTooLongError()
|
||||
+{
|
||||
+ // TODO: add a ImplementationLimitsExceededError and use it instead
|
||||
+ raiseError(QXmlStreamReader::NotWellFormedError,
|
||||
+ QXmlStream::tr("Length of XML attribute name exceeds implemnetation limits (4KiB "
|
||||
+ "characters)."));
|
||||
+}
|
||||
+
|
||||
void QXmlStreamReaderPrivate::parseError()
|
||||
{
|
||||
|
||||
diff --git a/src/corelib/serialization/qxmlstream.g b/src/corelib/serialization/qxmlstream.g
|
||||
index 4321fed68a..8c6a1a5887 100644
|
||||
--- a/src/corelib/serialization/qxmlstream.g
|
||||
+++ b/src/corelib/serialization/qxmlstream.g
|
||||
@@ -516,7 +516,16 @@ public:
|
||||
int fastScanLiteralContent();
|
||||
int fastScanSpace();
|
||||
int fastScanContentCharList();
|
||||
- int fastScanName(int *prefix = nullptr);
|
||||
+
|
||||
+ struct FastScanNameResult {
|
||||
+ FastScanNameResult() : ok(false) {}
|
||||
+ explicit FastScanNameResult(int len) : addToLen(len), ok(true) { }
|
||||
+ operator bool() { return ok; }
|
||||
+ int operator*() { Q_ASSERT(ok); return addToLen; }
|
||||
+ int addToLen;
|
||||
+ bool ok;
|
||||
+ };
|
||||
+ FastScanNameResult fastScanName(Value *val = nullptr);
|
||||
inline int fastScanNMTOKEN();
|
||||
|
||||
|
||||
@@ -525,6 +534,7 @@ public:
|
||||
|
||||
void raiseError(QXmlStreamReader::Error error, const QString& message = QString());
|
||||
void raiseWellFormedError(const QString &message);
|
||||
+ void raiseNamePrefixTooLongError();
|
||||
|
||||
QXmlStreamEntityResolver *entityResolver;
|
||||
|
||||
@@ -1811,7 +1821,12 @@ space_opt ::= space;
|
||||
qname ::= LETTER;
|
||||
/.
|
||||
case $rule_number: {
|
||||
- sym(1).len += fastScanName(&sym(1).prefix);
|
||||
+ Value &val = sym(1);
|
||||
+ if (auto res = fastScanName(&val))
|
||||
+ val.len += *res;
|
||||
+ else
|
||||
+ return false;
|
||||
+
|
||||
if (atEnd) {
|
||||
resume($rule_number);
|
||||
return false;
|
||||
@@ -1822,7 +1837,11 @@ qname ::= LETTER;
|
||||
name ::= LETTER;
|
||||
/.
|
||||
case $rule_number:
|
||||
- sym(1).len += fastScanName();
|
||||
+ if (auto res = fastScanName())
|
||||
+ sym(1).len += *res;
|
||||
+ else
|
||||
+ return false;
|
||||
+
|
||||
if (atEnd) {
|
||||
resume($rule_number);
|
||||
return false;
|
||||
diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h
|
||||
index e5bde7b98e..b01484cac3 100644
|
||||
--- a/src/corelib/serialization/qxmlstream_p.h
|
||||
+++ b/src/corelib/serialization/qxmlstream_p.h
|
||||
@@ -1005,7 +1005,16 @@ public:
|
||||
int fastScanLiteralContent();
|
||||
int fastScanSpace();
|
||||
int fastScanContentCharList();
|
||||
- int fastScanName(int *prefix = nullptr);
|
||||
+
|
||||
+ struct FastScanNameResult {
|
||||
+ FastScanNameResult() : ok(false) {}
|
||||
+ explicit FastScanNameResult(int len) : addToLen(len), ok(true) { }
|
||||
+ operator bool() { return ok; }
|
||||
+ int operator*() { Q_ASSERT(ok); return addToLen; }
|
||||
+ int addToLen;
|
||||
+ bool ok;
|
||||
+ };
|
||||
+ FastScanNameResult fastScanName(Value *val = nullptr);
|
||||
inline int fastScanNMTOKEN();
|
||||
|
||||
|
||||
@@ -1014,6 +1023,7 @@ public:
|
||||
|
||||
void raiseError(QXmlStreamReader::Error error, const QString& message = QString());
|
||||
void raiseWellFormedError(const QString &message);
|
||||
+ void raiseNamePrefixTooLongError();
|
||||
|
||||
QXmlStreamEntityResolver *entityResolver;
|
||||
|
||||
@@ -1939,7 +1949,12 @@ bool QXmlStreamReaderPrivate::parse()
|
||||
break;
|
||||
|
||||
case 262: {
|
||||
- sym(1).len += fastScanName(&sym(1).prefix);
|
||||
+ Value &val = sym(1);
|
||||
+ if (auto res = fastScanName(&val))
|
||||
+ val.len += *res;
|
||||
+ else
|
||||
+ return false;
|
||||
+
|
||||
if (atEnd) {
|
||||
resume(262);
|
||||
return false;
|
||||
@@ -1947,7 +1962,11 @@ bool QXmlStreamReaderPrivate::parse()
|
||||
} break;
|
||||
|
||||
case 263:
|
||||
- sym(1).len += fastScanName();
|
||||
+ if (auto res = fastScanName())
|
||||
+ sym(1).len += *res;
|
||||
+ else
|
||||
+ return false;
|
||||
+
|
||||
if (atEnd) {
|
||||
resume(263);
|
||||
return false;
|
||||
219
ports/qt5-base/patches/CVE-2023-38197-qtbase-5.15.diff
Normal file
219
ports/qt5-base/patches/CVE-2023-38197-qtbase-5.15.diff
Normal file
@ -0,0 +1,219 @@
|
||||
diff --git a/src/corelib/serialization/qxmlstream.cpp b/src/corelib/serialization/qxmlstream.cpp
|
||||
index bf8a2a9..6ab5d49 100644
|
||||
--- a/src/corelib/serialization/qxmlstream.cpp
|
||||
+++ b/src/corelib/serialization/qxmlstream.cpp
|
||||
@@ -160,7 +160,7 @@
|
||||
addData() or by waiting for it to arrive on the device().
|
||||
|
||||
\value UnexpectedElementError The parser encountered an element
|
||||
- that was different to those it expected.
|
||||
+ or token that was different to those it expected.
|
||||
|
||||
*/
|
||||
|
||||
@@ -295,13 +295,34 @@
|
||||
|
||||
QXmlStreamReader is a well-formed XML 1.0 parser that does \e not
|
||||
include external parsed entities. As long as no error occurs, the
|
||||
- application code can thus be assured that the data provided by the
|
||||
- stream reader satisfies the W3C's criteria for well-formed XML. For
|
||||
- example, you can be certain that all tags are indeed nested and
|
||||
- closed properly, that references to internal entities have been
|
||||
- replaced with the correct replacement text, and that attributes have
|
||||
- been normalized or added according to the internal subset of the
|
||||
- DTD.
|
||||
+ application code can thus be assured, that
|
||||
+ \list
|
||||
+ \li the data provided by the stream reader satisfies the W3C's
|
||||
+ criteria for well-formed XML,
|
||||
+ \li tokens are provided in a valid order.
|
||||
+ \endlist
|
||||
+
|
||||
+ Unless QXmlStreamReader raises an error, it guarantees the following:
|
||||
+ \list
|
||||
+ \li All tags are nested and closed properly.
|
||||
+ \li References to internal entities have been replaced with the
|
||||
+ correct replacement text.
|
||||
+ \li Attributes have been normalized or added according to the
|
||||
+ internal subset of the \l DTD.
|
||||
+ \li Tokens of type \l StartDocument happen before all others,
|
||||
+ aside from comments and processing instructions.
|
||||
+ \li At most one DOCTYPE element (a token of type \l DTD) is present.
|
||||
+ \li If present, the DOCTYPE appears before all other elements,
|
||||
+ aside from StartDocument, comments and processing instructions.
|
||||
+ \endlist
|
||||
+
|
||||
+ In particular, once any token of type \l StartElement, \l EndElement,
|
||||
+ \l Characters, \l EntityReference or \l EndDocument is seen, no
|
||||
+ tokens of type StartDocument or DTD will be seen. If one is present in
|
||||
+ the input stream, out of order, an error is raised.
|
||||
+
|
||||
+ \note The token types \l Comment and \l ProcessingInstruction may appear
|
||||
+ anywhere in the stream.
|
||||
|
||||
If an error occurs while parsing, atEnd() and hasError() return
|
||||
true, and error() returns the error that occurred. The functions
|
||||
@@ -620,6 +641,7 @@
|
||||
d->token = -1;
|
||||
return readNext();
|
||||
}
|
||||
+ d->checkToken();
|
||||
return d->type;
|
||||
}
|
||||
|
||||
@@ -740,6 +762,14 @@
|
||||
};
|
||||
|
||||
|
||||
+static const char QXmlStreamReader_XmlContextString[] =
|
||||
+ "Prolog\0"
|
||||
+ "Body\0";
|
||||
+
|
||||
+static const short QXmlStreamReader_XmlContextString_indices[] = {
|
||||
+ 0, 7
|
||||
+};
|
||||
+
|
||||
/*!
|
||||
\property QXmlStreamReader::namespaceProcessing
|
||||
The namespace-processing flag of the stream reader
|
||||
@@ -775,6 +805,16 @@
|
||||
QXmlStreamReader_tokenTypeString_indices[d->type]);
|
||||
}
|
||||
|
||||
+/*!
|
||||
+ \internal
|
||||
+ \return \param ctxt (Prolog/Body) as a string.
|
||||
+ */
|
||||
+QString contextString(QXmlStreamReaderPrivate::XmlContext ctxt)
|
||||
+{
|
||||
+ return QLatin1String(QXmlStreamReader_XmlContextString +
|
||||
+ QXmlStreamReader_XmlContextString_indices[static_cast<int>(ctxt)]);
|
||||
+}
|
||||
+
|
||||
#endif // QT_NO_XMLSTREAMREADER
|
||||
|
||||
QXmlStreamPrivateTagStack::QXmlStreamPrivateTagStack()
|
||||
@@ -866,6 +906,8 @@
|
||||
|
||||
type = QXmlStreamReader::NoToken;
|
||||
error = QXmlStreamReader::NoError;
|
||||
+ currentContext = XmlContext::Prolog;
|
||||
+ foundDTD = false;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -4061,6 +4103,92 @@
|
||||
}
|
||||
}
|
||||
|
||||
+static bool isTokenAllowedInContext(QXmlStreamReader::TokenType type,
|
||||
+ QXmlStreamReaderPrivate::XmlContext loc)
|
||||
+{
|
||||
+ switch (type) {
|
||||
+ case QXmlStreamReader::StartDocument:
|
||||
+ case QXmlStreamReader::DTD:
|
||||
+ return loc == QXmlStreamReaderPrivate::XmlContext::Prolog;
|
||||
+
|
||||
+ case QXmlStreamReader::StartElement:
|
||||
+ case QXmlStreamReader::EndElement:
|
||||
+ case QXmlStreamReader::Characters:
|
||||
+ case QXmlStreamReader::EntityReference:
|
||||
+ case QXmlStreamReader::EndDocument:
|
||||
+ return loc == QXmlStreamReaderPrivate::XmlContext::Body;
|
||||
+
|
||||
+ case QXmlStreamReader::Comment:
|
||||
+ case QXmlStreamReader::ProcessingInstruction:
|
||||
+ return true;
|
||||
+
|
||||
+ case QXmlStreamReader::NoToken:
|
||||
+ case QXmlStreamReader::Invalid:
|
||||
+ return false;
|
||||
+ default:
|
||||
+ return false;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/*!
|
||||
+ \internal
|
||||
+ \brief QXmlStreamReader::isValidToken
|
||||
+ \return \c true if \param type is a valid token type.
|
||||
+ \return \c false if \param type is an unexpected token,
|
||||
+ which indicates a non-well-formed or invalid XML stream.
|
||||
+ */
|
||||
+bool QXmlStreamReaderPrivate::isValidToken(QXmlStreamReader::TokenType type)
|
||||
+{
|
||||
+ // Don't change currentContext, if Invalid or NoToken occur in the prolog
|
||||
+ if (type == QXmlStreamReader::Invalid || type == QXmlStreamReader::NoToken)
|
||||
+ return false;
|
||||
+
|
||||
+ // If a token type gets rejected in the body, there is no recovery
|
||||
+ const bool result = isTokenAllowedInContext(type, currentContext);
|
||||
+ if (result || currentContext == XmlContext::Body)
|
||||
+ return result;
|
||||
+
|
||||
+ // First non-Prolog token observed => switch context to body and check again.
|
||||
+ currentContext = XmlContext::Body;
|
||||
+ return isTokenAllowedInContext(type, currentContext);
|
||||
+}
|
||||
+
|
||||
+/*!
|
||||
+ \internal
|
||||
+ Checks token type and raises an error, if it is invalid
|
||||
+ in the current context (prolog/body).
|
||||
+ */
|
||||
+void QXmlStreamReaderPrivate::checkToken()
|
||||
+{
|
||||
+ Q_Q(QXmlStreamReader);
|
||||
+
|
||||
+ // The token type must be consumed, to keep track if the body has been reached.
|
||||
+ const XmlContext context = currentContext;
|
||||
+ const bool ok = isValidToken(type);
|
||||
+
|
||||
+ // Do nothing if an error has been raised already (going along with an unexpected token)
|
||||
+ if (error != QXmlStreamReader::Error::NoError)
|
||||
+ return;
|
||||
+
|
||||
+ if (!ok) {
|
||||
+ raiseError(QXmlStreamReader::UnexpectedElementError,
|
||||
+ QLatin1String("Unexpected token type %1 in %2.")
|
||||
+ .arg(q->tokenString(), contextString(context)));
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ if (type != QXmlStreamReader::DTD)
|
||||
+ return;
|
||||
+
|
||||
+ // Raise error on multiple DTD tokens
|
||||
+ if (foundDTD) {
|
||||
+ raiseError(QXmlStreamReader::UnexpectedElementError,
|
||||
+ QLatin1String("Found second DTD token in %1.").arg(contextString(context)));
|
||||
+ } else {
|
||||
+ foundDTD = true;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
/*!
|
||||
\fn bool QXmlStreamAttributes::hasAttribute(const QString &qualifiedName) const
|
||||
\since 4.5
|
||||
diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h
|
||||
index 8f7c9e0..708059b 100644
|
||||
--- a/src/corelib/serialization/qxmlstream_p.h
|
||||
+++ b/src/corelib/serialization/qxmlstream_p.h
|
||||
@@ -804,6 +804,17 @@
|
||||
#endif
|
||||
bool atEnd;
|
||||
|
||||
+ enum class XmlContext
|
||||
+ {
|
||||
+ Prolog,
|
||||
+ Body,
|
||||
+ };
|
||||
+
|
||||
+ XmlContext currentContext = XmlContext::Prolog;
|
||||
+ bool foundDTD = false;
|
||||
+ bool isValidToken(QXmlStreamReader::TokenType type);
|
||||
+ void checkToken();
|
||||
+
|
||||
/*!
|
||||
\sa setType()
|
||||
*/
|
||||
@ -47,10 +47,13 @@ endif()
|
||||
qt_download_submodule( OUT_SOURCE_PATH SOURCE_PATH
|
||||
PATCHES
|
||||
# CVE fixes from https://download.qt.io/official_releases/qt/5.15/
|
||||
patches/CVE-2023-24607-qtbase-5.15.diff
|
||||
patches/CVE-2023-32762-qtbase-5.15.diff
|
||||
patches/CVE-2023-32763-qtbase-5.15.diff
|
||||
patches/CVE-2023-33285-qtbase-5.15.diff
|
||||
patches/CVE-2023-34410-qtbase-5.15.diff
|
||||
patches/CVE-2023-37369-qtbase-5.15.diff
|
||||
patches/CVE-2023-38197-qtbase-5.15.diff
|
||||
|
||||
patches/winmain_pro.patch #Moves qtmain to manual-link
|
||||
patches/windows_prf.patch #fixes the qtmain dependency due to the above move
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
{
|
||||
"name": "qt5-base",
|
||||
"version": "5.15.10",
|
||||
"port-version": 3,
|
||||
"port-version": 4,
|
||||
"description": "Qt5 Application Framework Base Module. Includes Core, GUI, Widgets, Networking, SQL, Concurrent and other essential qt components.",
|
||||
"homepage": "https://www.qt.io/",
|
||||
"license": null,
|
||||
|
||||
@ -6626,7 +6626,7 @@
|
||||
},
|
||||
"qt5-base": {
|
||||
"baseline": "5.15.10",
|
||||
"port-version": 3
|
||||
"port-version": 4
|
||||
},
|
||||
"qt5-canvas3d": {
|
||||
"baseline": "0",
|
||||
|
||||
@ -1,5 +1,10 @@
|
||||
{
|
||||
"versions": [
|
||||
{
|
||||
"git-tree": "bd1318b6c207ed69b8a5c5ab75f143263b6bc522",
|
||||
"version": "5.15.10",
|
||||
"port-version": 4
|
||||
},
|
||||
{
|
||||
"git-tree": "527c937f1bc15252b1397447900bc93c13f16b5e",
|
||||
"version": "5.15.10",
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user