diff --git a/ports/qt5-base/patches/CVE-2023-24607-qtbase-5.15.diff b/ports/qt5-base/patches/CVE-2023-24607-qtbase-5.15.diff new file mode 100644 index 0000000000..2f0973771e --- /dev/null +++ b/ports/qt5-base/patches/CVE-2023-24607-qtbase-5.15.diff @@ -0,0 +1,332 @@ +--- a/src/plugins/sqldrivers/odbc/qsql_odbc.cpp ++++ b/src/plugins/sqldrivers/odbc/qsql_odbc.cpp +@@ -92,23 +92,39 @@ inline static QString fromSQLTCHAR(const QVarLengthArray& input, int s + return result; + } + ++template ++void toSQLTCHARImpl(QVarLengthArray &result, const QString &input); // primary template undefined ++ ++template ++void do_append(QVarLengthArray &result, const Container &c) ++{ ++ result.append(reinterpret_cast(c.data()), c.size()); ++} ++ ++template <> ++void toSQLTCHARImpl<1>(QVarLengthArray &result, const QString &input) ++{ ++ const auto u8 = input.toUtf8(); ++ do_append(result, u8); ++} ++ ++template <> ++void toSQLTCHARImpl<2>(QVarLengthArray &result, const QString &input) ++{ ++ do_append(result, input); ++} ++ ++template <> ++void toSQLTCHARImpl<4>(QVarLengthArray &result, const QString &input) ++{ ++ const auto u32 = input.toUcs4(); ++ do_append(result, u32); ++} ++ + inline static QVarLengthArray toSQLTCHAR(const QString &input) + { + QVarLengthArray result; +- result.resize(input.size()); +- switch(sizeof(SQLTCHAR)) { +- case 1: +- memcpy(result.data(), input.toUtf8().data(), input.size()); +- break; +- case 2: +- memcpy(result.data(), input.unicode(), input.size() * 2); +- break; +- case 4: +- memcpy(result.data(), input.toUcs4().data(), input.size() * 4); +- break; +- default: +- qCritical("sizeof(SQLTCHAR) is %d. Don't know how to handle this.", int(sizeof(SQLTCHAR))); +- } ++ toSQLTCHARImpl(result, input); + result.append(0); // make sure it's null terminated, doesn't matter if it already is, it does if it isn't. + return result; + } + +--- a/src/plugins/sqldrivers/odbc/qsql_odbc.cpp ++++ b/src/plugins/sqldrivers/odbc/qsql_odbc.cpp +@@ -1732,10 +1732,11 @@ bool QODBCResult::exec() + case QVariant::String: + if (d->unicode) { + if (bindValueType(i) & QSql::Out) { +- const QByteArray &first = tmpStorage.at(i); +- QVarLengthArray array; +- array.append((const SQLTCHAR *)first.constData(), first.size()); +- values[i] = fromSQLTCHAR(array, first.size()/sizeof(SQLTCHAR)); ++ const QByteArray &bytes = tmpStorage.at(i); ++ const auto strSize = bytes.size() / int(sizeof(SQLTCHAR)); ++ QVarLengthArray string(strSize); ++ memcpy(string.data(), bytes.data(), strSize * sizeof(SQLTCHAR)); ++ values[i] = fromSQLTCHAR(string); + } + break; + } + +--- a/src/plugins/sqldrivers/odbc/qsql_odbc.cpp ++++ b/src/plugins/sqldrivers/odbc/qsql_odbc.cpp +@@ -779,6 +779,14 @@ QChar QODBCDriverPrivate::quoteChar() + return quote; + } + ++static SQLRETURN qt_string_SQLSetConnectAttr(SQLHDBC handle, SQLINTEGER attr, const QString &val) ++{ ++ auto encoded = toSQLTCHAR(val); ++ return SQLSetConnectAttr(handle, attr, ++ encoded.data(), ++ SQLINTEGER(encoded.size() * sizeof(SQLTCHAR))); // size in bytes ++} ++ + + bool QODBCDriverPrivate::setConnectionOptions(const QString& connOpts) + { +@@ -814,10 +822,7 @@ bool QODBCDriverPrivate::setConnectionOptions(const QString& connOpts) + v = val.toUInt(); + r = SQLSetConnectAttr(hDbc, SQL_ATTR_LOGIN_TIMEOUT, (SQLPOINTER) size_t(v), 0); + } else if (opt.toUpper() == QLatin1String("SQL_ATTR_CURRENT_CATALOG")) { +- val.utf16(); // 0 terminate +- r = SQLSetConnectAttr(hDbc, SQL_ATTR_CURRENT_CATALOG, +- toSQLTCHAR(val).data(), +- val.length()*sizeof(SQLTCHAR)); ++ r = qt_string_SQLSetConnectAttr(hDbc, SQL_ATTR_CURRENT_CATALOG, val); + } else if (opt.toUpper() == QLatin1String("SQL_ATTR_METADATA_ID")) { + if (val.toUpper() == QLatin1String("SQL_TRUE")) { + v = SQL_TRUE; +@@ -832,10 +837,7 @@ bool QODBCDriverPrivate::setConnectionOptions(const QString& connOpts) + v = val.toUInt(); + r = SQLSetConnectAttr(hDbc, SQL_ATTR_PACKET_SIZE, (SQLPOINTER) size_t(v), 0); + } else if (opt.toUpper() == QLatin1String("SQL_ATTR_TRACEFILE")) { +- val.utf16(); // 0 terminate +- r = SQLSetConnectAttr(hDbc, SQL_ATTR_TRACEFILE, +- toSQLTCHAR(val).data(), +- val.length()*sizeof(SQLTCHAR)); ++ r = qt_string_SQLSetConnectAttr(hDbc, SQL_ATTR_TRACEFILE, val); + } else if (opt.toUpper() == QLatin1String("SQL_ATTR_TRACE")) { + if (val.toUpper() == QLatin1String("SQL_OPT_TRACE_OFF")) { + v = SQL_OPT_TRACE_OFF; +@@ -1038,9 +1040,12 @@ bool QODBCResult::reset (const QString& query) + return false; + } + +- r = SQLExecDirect(d->hStmt, +- toSQLTCHAR(query).data(), +- (SQLINTEGER) query.length()); ++ { ++ auto encoded = toSQLTCHAR(query); ++ r = SQLExecDirect(d->hStmt, ++ encoded.data(), ++ SQLINTEGER(encoded.size())); ++ } + if (r != SQL_SUCCESS && r != SQL_SUCCESS_WITH_INFO && r!= SQL_NO_DATA) { + setLastError(qMakeError(QCoreApplication::translate("QODBCResult", + "Unable to execute statement"), QSqlError::StatementError, d)); +@@ -1387,9 +1392,12 @@ bool QODBCResult::prepare(const QString& query) + return false; + } + +- r = SQLPrepare(d->hStmt, +- toSQLTCHAR(query).data(), +- (SQLINTEGER) query.length()); ++ { ++ auto encoded = toSQLTCHAR(query); ++ r = SQLPrepare(d->hStmt, ++ encoded.data(), ++ SQLINTEGER(encoded.size())); ++ } + + if (r != SQL_SUCCESS) { + setLastError(qMakeError(QCoreApplication::translate("QODBCResult", +@@ -1417,7 +1425,7 @@ bool QODBCResult::exec() + SQLCloseCursor(d->hStmt); + + QVector& values = boundValues(); +- QVector tmpStorage(values.count(), QByteArray()); // holds temporary buffers ++ QVector tmpStorage(values.count(), QByteArray()); // targets for SQLBindParameter() + QVarLengthArray indicators(values.count()); + memset(indicators.data(), 0, indicators.size() * sizeof(SQLLEN)); + +@@ -1596,35 +1604,36 @@ bool QODBCResult::exec() + case QVariant::String: + if (d->unicode) { + QByteArray &ba = tmpStorage[i]; +- QString str = val.toString(); ++ { ++ const auto encoded = toSQLTCHAR(val.toString()); ++ ba = QByteArray(reinterpret_cast(encoded.data()), ++ encoded.size() * sizeof(SQLTCHAR)); ++ } ++ + if (*ind != SQL_NULL_DATA) +- *ind = str.length() * sizeof(SQLTCHAR); +- int strSize = str.length() * sizeof(SQLTCHAR); ++ *ind = ba.size(); + + if (bindValueType(i) & QSql::Out) { +- const QVarLengthArray a(toSQLTCHAR(str)); +- ba = QByteArray((const char *)a.constData(), a.size() * sizeof(SQLTCHAR)); + r = SQLBindParameter(d->hStmt, + i + 1, + qParamType[bindValueType(i) & QSql::InOut], + SQL_C_TCHAR, +- strSize > 254 ? SQL_WLONGVARCHAR : SQL_WVARCHAR, ++ ba.size() > 254 ? SQL_WLONGVARCHAR : SQL_WVARCHAR, + 0, // god knows... don't change this! + 0, +- ba.data(), ++ const_cast(ba.constData()), // don't detach + ba.size(), + ind); + break; + } +- ba = QByteArray ((const char *)toSQLTCHAR(str).constData(), str.size()*sizeof(SQLTCHAR)); + r = SQLBindParameter(d->hStmt, + i + 1, + qParamType[bindValueType(i) & QSql::InOut], + SQL_C_TCHAR, +- strSize > 254 ? SQL_WLONGVARCHAR : SQL_WVARCHAR, +- strSize, ++ ba.size() > 254 ? SQL_WLONGVARCHAR : SQL_WVARCHAR, ++ ba.size(), + 0, +- const_cast(ba.constData()), ++ const_cast(ba.constData()), // don't detach + ba.size(), + ind); + break; +@@ -1982,14 +1991,16 @@ bool QODBCDriver::open(const QString & db, + SQLSMALLINT cb; + QVarLengthArray connOut(1024); + memset(connOut.data(), 0, connOut.size() * sizeof(SQLTCHAR)); +- r = SQLDriverConnect(d->hDbc, +- NULL, +- toSQLTCHAR(connQStr).data(), +- (SQLSMALLINT)connQStr.length(), +- connOut.data(), +- 1024, +- &cb, +- /*SQL_DRIVER_NOPROMPT*/0); ++ { ++ auto encoded = toSQLTCHAR(connQStr); ++ r = SQLDriverConnect(d->hDbc, ++ nullptr, ++ encoded.data(), SQLSMALLINT(encoded.size()), ++ connOut.data(), ++ 1024, ++ &cb, ++ /*SQL_DRIVER_NOPROMPT*/0); ++ } + + if (r != SQL_SUCCESS && r != SQL_SUCCESS_WITH_INFO) { + setLastError(qMakeError(tr("Unable to connect"), QSqlError::ConnectionError, d)); +@@ -2368,17 +2379,15 @@ QStringList QODBCDriver::tables(QSql::TableType type) const + if (tableType.isEmpty()) + return tl; + +- QString joinedTableTypeString = tableType.join(QLatin1Char(',')); ++ { ++ auto joinedTableTypeString = toSQLTCHAR(tableType.join(u',')); + +- r = SQLTables(hStmt, +- NULL, +- 0, +- NULL, +- 0, +- NULL, +- 0, +- toSQLTCHAR(joinedTableTypeString).data(), +- joinedTableTypeString.length() /* characters, not bytes */); ++ r = SQLTables(hStmt, ++ nullptr, 0, ++ nullptr, 0, ++ nullptr, 0, ++ joinedTableTypeString.data(), joinedTableTypeString.size()); ++ } + + if (r != SQL_SUCCESS) + qSqlWarning(QLatin1String("QODBCDriver::tables Unable to execute table list"), d); +@@ -2452,28 +2461,30 @@ QSqlIndex QODBCDriver::primaryIndex(const QString& tablename) const + SQL_ATTR_CURSOR_TYPE, + (SQLPOINTER)SQL_CURSOR_FORWARD_ONLY, + SQL_IS_UINTEGER); +- r = SQLPrimaryKeys(hStmt, +- catalog.length() == 0 ? NULL : toSQLTCHAR(catalog).data(), +- catalog.length(), +- schema.length() == 0 ? NULL : toSQLTCHAR(schema).data(), +- schema.length(), +- toSQLTCHAR(table).data(), +- table.length() /* in characters, not in bytes */); ++ { ++ auto c = toSQLTCHAR(catalog); ++ auto s = toSQLTCHAR(schema); ++ auto t = toSQLTCHAR(table); ++ r = SQLPrimaryKeys(hStmt, ++ catalog.isEmpty() ? nullptr : c.data(), c.size(), ++ schema.isEmpty() ? nullptr : s.data(), s.size(), ++ t.data(), t.size()); ++ } + + // if the SQLPrimaryKeys() call does not succeed (e.g the driver + // does not support it) - try an alternative method to get hold of + // the primary index (e.g MS Access and FoxPro) + if (r != SQL_SUCCESS) { +- r = SQLSpecialColumns(hStmt, +- SQL_BEST_ROWID, +- catalog.length() == 0 ? NULL : toSQLTCHAR(catalog).data(), +- catalog.length(), +- schema.length() == 0 ? NULL : toSQLTCHAR(schema).data(), +- schema.length(), +- toSQLTCHAR(table).data(), +- table.length(), +- SQL_SCOPE_CURROW, +- SQL_NULLABLE); ++ auto c = toSQLTCHAR(catalog); ++ auto s = toSQLTCHAR(schema); ++ auto t = toSQLTCHAR(table); ++ r = SQLSpecialColumns(hStmt, ++ SQL_BEST_ROWID, ++ catalog.isEmpty() ? nullptr : c.data(), c.size(), ++ schema.isEmpty() ? nullptr : s.data(), s.size(), ++ t.data(), t.size(), ++ SQL_SCOPE_CURROW, ++ SQL_NULLABLE); + + if (r != SQL_SUCCESS) { + qSqlWarning(QLatin1String("QODBCDriver::primaryIndex: Unable to execute primary key list"), d); +@@ -2554,15 +2565,17 @@ QSqlRecord QODBCDriver::record(const QString& tablename) const + SQL_ATTR_CURSOR_TYPE, + (SQLPOINTER)SQL_CURSOR_FORWARD_ONLY, + SQL_IS_UINTEGER); +- r = SQLColumns(hStmt, +- catalog.length() == 0 ? NULL : toSQLTCHAR(catalog).data(), +- catalog.length(), +- schema.length() == 0 ? NULL : toSQLTCHAR(schema).data(), +- schema.length(), +- toSQLTCHAR(table).data(), +- table.length(), +- NULL, +- 0); ++ { ++ auto c = toSQLTCHAR(catalog); ++ auto s = toSQLTCHAR(schema); ++ auto t = toSQLTCHAR(table); ++ r = SQLColumns(hStmt, ++ catalog.isEmpty() ? nullptr : c.data(), c.size(), ++ schema.isEmpty() ? nullptr : s.data(), s.size(), ++ t.data(), t.size(), ++ nullptr, ++ 0); ++ } + if (r != SQL_SUCCESS) + qSqlWarning(QLatin1String("QODBCDriver::record: Unable to execute column list"), d); + diff --git a/ports/qt5-base/patches/CVE-2023-37369-qtbase-5.15.diff b/ports/qt5-base/patches/CVE-2023-37369-qtbase-5.15.diff new file mode 100644 index 0000000000..ad2984fbe1 --- /dev/null +++ b/ports/qt5-base/patches/CVE-2023-37369-qtbase-5.15.diff @@ -0,0 +1,203 @@ +diff --git a/src/corelib/serialization/qxmlstream.cpp b/src/corelib/serialization/qxmlstream.cpp +index 7cd457ba3a..11d162cb79 100644 +--- a/src/corelib/serialization/qxmlstream.cpp ++++ b/src/corelib/serialization/qxmlstream.cpp +@@ -1302,15 +1302,18 @@ inline int QXmlStreamReaderPrivate::fastScanContentCharList() + return n; + } + +-inline int QXmlStreamReaderPrivate::fastScanName(int *prefix) ++// Fast scan an XML attribute name (e.g. "xml:lang"). ++inline QXmlStreamReaderPrivate::FastScanNameResult ++QXmlStreamReaderPrivate::fastScanName(Value *val) + { + int n = 0; + uint c; + while ((c = getChar()) != StreamEOF) { + if (n >= 4096) { + // This is too long to be a sensible name, and +- // can exhaust memory +- return 0; ++ // can exhaust memory, or the range of decltype(*prefix) ++ raiseNamePrefixTooLongError(); ++ return {}; + } + switch (c) { + case '\n': +@@ -1339,23 +1342,23 @@ inline int QXmlStreamReaderPrivate::fastScanName(int *prefix) + case '+': + case '*': + putChar(c); +- if (prefix && *prefix == n+1) { +- *prefix = 0; ++ if (val && val->prefix == n + 1) { ++ val->prefix = 0; + putChar(':'); + --n; + } +- return n; ++ return FastScanNameResult(n); + case ':': +- if (prefix) { +- if (*prefix == 0) { +- *prefix = n+2; ++ if (val) { ++ if (val->prefix == 0) { ++ val->prefix = n + 2; + } else { // only one colon allowed according to the namespace spec. + putChar(c); +- return n; ++ return FastScanNameResult(n); + } + } else { + putChar(c); +- return n; ++ return FastScanNameResult(n); + } + Q_FALLTHROUGH(); + default: +@@ -1364,12 +1367,12 @@ inline int QXmlStreamReaderPrivate::fastScanName(int *prefix) + } + } + +- if (prefix) +- *prefix = 0; ++ if (val) ++ val->prefix = 0; + int pos = textBuffer.size() - n; + putString(textBuffer, pos); + textBuffer.resize(pos); +- return 0; ++ return FastScanNameResult(0); + } + + enum NameChar { NameBeginning, NameNotBeginning, NotName }; +@@ -1878,6 +1881,14 @@ void QXmlStreamReaderPrivate::raiseWellFormedError(const QString &message) + raiseError(QXmlStreamReader::NotWellFormedError, message); + } + ++void QXmlStreamReaderPrivate::raiseNamePrefixTooLongError() ++{ ++ // TODO: add a ImplementationLimitsExceededError and use it instead ++ raiseError(QXmlStreamReader::NotWellFormedError, ++ QXmlStream::tr("Length of XML attribute name exceeds implemnetation limits (4KiB " ++ "characters).")); ++} ++ + void QXmlStreamReaderPrivate::parseError() + { + +diff --git a/src/corelib/serialization/qxmlstream.g b/src/corelib/serialization/qxmlstream.g +index 4321fed68a..8c6a1a5887 100644 +--- a/src/corelib/serialization/qxmlstream.g ++++ b/src/corelib/serialization/qxmlstream.g +@@ -516,7 +516,16 @@ public: + int fastScanLiteralContent(); + int fastScanSpace(); + int fastScanContentCharList(); +- int fastScanName(int *prefix = nullptr); ++ ++ struct FastScanNameResult { ++ FastScanNameResult() : ok(false) {} ++ explicit FastScanNameResult(int len) : addToLen(len), ok(true) { } ++ operator bool() { return ok; } ++ int operator*() { Q_ASSERT(ok); return addToLen; } ++ int addToLen; ++ bool ok; ++ }; ++ FastScanNameResult fastScanName(Value *val = nullptr); + inline int fastScanNMTOKEN(); + + +@@ -525,6 +534,7 @@ public: + + void raiseError(QXmlStreamReader::Error error, const QString& message = QString()); + void raiseWellFormedError(const QString &message); ++ void raiseNamePrefixTooLongError(); + + QXmlStreamEntityResolver *entityResolver; + +@@ -1811,7 +1821,12 @@ space_opt ::= space; + qname ::= LETTER; + /. + case $rule_number: { +- sym(1).len += fastScanName(&sym(1).prefix); ++ Value &val = sym(1); ++ if (auto res = fastScanName(&val)) ++ val.len += *res; ++ else ++ return false; ++ + if (atEnd) { + resume($rule_number); + return false; +@@ -1822,7 +1837,11 @@ qname ::= LETTER; + name ::= LETTER; + /. + case $rule_number: +- sym(1).len += fastScanName(); ++ if (auto res = fastScanName()) ++ sym(1).len += *res; ++ else ++ return false; ++ + if (atEnd) { + resume($rule_number); + return false; +diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h +index e5bde7b98e..b01484cac3 100644 +--- a/src/corelib/serialization/qxmlstream_p.h ++++ b/src/corelib/serialization/qxmlstream_p.h +@@ -1005,7 +1005,16 @@ public: + int fastScanLiteralContent(); + int fastScanSpace(); + int fastScanContentCharList(); +- int fastScanName(int *prefix = nullptr); ++ ++ struct FastScanNameResult { ++ FastScanNameResult() : ok(false) {} ++ explicit FastScanNameResult(int len) : addToLen(len), ok(true) { } ++ operator bool() { return ok; } ++ int operator*() { Q_ASSERT(ok); return addToLen; } ++ int addToLen; ++ bool ok; ++ }; ++ FastScanNameResult fastScanName(Value *val = nullptr); + inline int fastScanNMTOKEN(); + + +@@ -1014,6 +1023,7 @@ public: + + void raiseError(QXmlStreamReader::Error error, const QString& message = QString()); + void raiseWellFormedError(const QString &message); ++ void raiseNamePrefixTooLongError(); + + QXmlStreamEntityResolver *entityResolver; + +@@ -1939,7 +1949,12 @@ bool QXmlStreamReaderPrivate::parse() + break; + + case 262: { +- sym(1).len += fastScanName(&sym(1).prefix); ++ Value &val = sym(1); ++ if (auto res = fastScanName(&val)) ++ val.len += *res; ++ else ++ return false; ++ + if (atEnd) { + resume(262); + return false; +@@ -1947,7 +1962,11 @@ bool QXmlStreamReaderPrivate::parse() + } break; + + case 263: +- sym(1).len += fastScanName(); ++ if (auto res = fastScanName()) ++ sym(1).len += *res; ++ else ++ return false; ++ + if (atEnd) { + resume(263); + return false; diff --git a/ports/qt5-base/patches/CVE-2023-38197-qtbase-5.15.diff b/ports/qt5-base/patches/CVE-2023-38197-qtbase-5.15.diff new file mode 100644 index 0000000000..e9e622bc3d --- /dev/null +++ b/ports/qt5-base/patches/CVE-2023-38197-qtbase-5.15.diff @@ -0,0 +1,219 @@ +diff --git a/src/corelib/serialization/qxmlstream.cpp b/src/corelib/serialization/qxmlstream.cpp +index bf8a2a9..6ab5d49 100644 +--- a/src/corelib/serialization/qxmlstream.cpp ++++ b/src/corelib/serialization/qxmlstream.cpp +@@ -160,7 +160,7 @@ + addData() or by waiting for it to arrive on the device(). + + \value UnexpectedElementError The parser encountered an element +- that was different to those it expected. ++ or token that was different to those it expected. + + */ + +@@ -295,13 +295,34 @@ + + QXmlStreamReader is a well-formed XML 1.0 parser that does \e not + include external parsed entities. As long as no error occurs, the +- application code can thus be assured that the data provided by the +- stream reader satisfies the W3C's criteria for well-formed XML. For +- example, you can be certain that all tags are indeed nested and +- closed properly, that references to internal entities have been +- replaced with the correct replacement text, and that attributes have +- been normalized or added according to the internal subset of the +- DTD. ++ application code can thus be assured, that ++ \list ++ \li the data provided by the stream reader satisfies the W3C's ++ criteria for well-formed XML, ++ \li tokens are provided in a valid order. ++ \endlist ++ ++ Unless QXmlStreamReader raises an error, it guarantees the following: ++ \list ++ \li All tags are nested and closed properly. ++ \li References to internal entities have been replaced with the ++ correct replacement text. ++ \li Attributes have been normalized or added according to the ++ internal subset of the \l DTD. ++ \li Tokens of type \l StartDocument happen before all others, ++ aside from comments and processing instructions. ++ \li At most one DOCTYPE element (a token of type \l DTD) is present. ++ \li If present, the DOCTYPE appears before all other elements, ++ aside from StartDocument, comments and processing instructions. ++ \endlist ++ ++ In particular, once any token of type \l StartElement, \l EndElement, ++ \l Characters, \l EntityReference or \l EndDocument is seen, no ++ tokens of type StartDocument or DTD will be seen. If one is present in ++ the input stream, out of order, an error is raised. ++ ++ \note The token types \l Comment and \l ProcessingInstruction may appear ++ anywhere in the stream. + + If an error occurs while parsing, atEnd() and hasError() return + true, and error() returns the error that occurred. The functions +@@ -620,6 +641,7 @@ + d->token = -1; + return readNext(); + } ++ d->checkToken(); + return d->type; + } + +@@ -740,6 +762,14 @@ + }; + + ++static const char QXmlStreamReader_XmlContextString[] = ++ "Prolog\0" ++ "Body\0"; ++ ++static const short QXmlStreamReader_XmlContextString_indices[] = { ++ 0, 7 ++}; ++ + /*! + \property QXmlStreamReader::namespaceProcessing + The namespace-processing flag of the stream reader +@@ -775,6 +805,16 @@ + QXmlStreamReader_tokenTypeString_indices[d->type]); + } + ++/*! ++ \internal ++ \return \param ctxt (Prolog/Body) as a string. ++ */ ++QString contextString(QXmlStreamReaderPrivate::XmlContext ctxt) ++{ ++ return QLatin1String(QXmlStreamReader_XmlContextString + ++ QXmlStreamReader_XmlContextString_indices[static_cast(ctxt)]); ++} ++ + #endif // QT_NO_XMLSTREAMREADER + + QXmlStreamPrivateTagStack::QXmlStreamPrivateTagStack() +@@ -866,6 +906,8 @@ + + type = QXmlStreamReader::NoToken; + error = QXmlStreamReader::NoError; ++ currentContext = XmlContext::Prolog; ++ foundDTD = false; + } + + /* +@@ -4061,6 +4103,92 @@ + } + } + ++static bool isTokenAllowedInContext(QXmlStreamReader::TokenType type, ++ QXmlStreamReaderPrivate::XmlContext loc) ++{ ++ switch (type) { ++ case QXmlStreamReader::StartDocument: ++ case QXmlStreamReader::DTD: ++ return loc == QXmlStreamReaderPrivate::XmlContext::Prolog; ++ ++ case QXmlStreamReader::StartElement: ++ case QXmlStreamReader::EndElement: ++ case QXmlStreamReader::Characters: ++ case QXmlStreamReader::EntityReference: ++ case QXmlStreamReader::EndDocument: ++ return loc == QXmlStreamReaderPrivate::XmlContext::Body; ++ ++ case QXmlStreamReader::Comment: ++ case QXmlStreamReader::ProcessingInstruction: ++ return true; ++ ++ case QXmlStreamReader::NoToken: ++ case QXmlStreamReader::Invalid: ++ return false; ++ default: ++ return false; ++ } ++} ++ ++/*! ++ \internal ++ \brief QXmlStreamReader::isValidToken ++ \return \c true if \param type is a valid token type. ++ \return \c false if \param type is an unexpected token, ++ which indicates a non-well-formed or invalid XML stream. ++ */ ++bool QXmlStreamReaderPrivate::isValidToken(QXmlStreamReader::TokenType type) ++{ ++ // Don't change currentContext, if Invalid or NoToken occur in the prolog ++ if (type == QXmlStreamReader::Invalid || type == QXmlStreamReader::NoToken) ++ return false; ++ ++ // If a token type gets rejected in the body, there is no recovery ++ const bool result = isTokenAllowedInContext(type, currentContext); ++ if (result || currentContext == XmlContext::Body) ++ return result; ++ ++ // First non-Prolog token observed => switch context to body and check again. ++ currentContext = XmlContext::Body; ++ return isTokenAllowedInContext(type, currentContext); ++} ++ ++/*! ++ \internal ++ Checks token type and raises an error, if it is invalid ++ in the current context (prolog/body). ++ */ ++void QXmlStreamReaderPrivate::checkToken() ++{ ++ Q_Q(QXmlStreamReader); ++ ++ // The token type must be consumed, to keep track if the body has been reached. ++ const XmlContext context = currentContext; ++ const bool ok = isValidToken(type); ++ ++ // Do nothing if an error has been raised already (going along with an unexpected token) ++ if (error != QXmlStreamReader::Error::NoError) ++ return; ++ ++ if (!ok) { ++ raiseError(QXmlStreamReader::UnexpectedElementError, ++ QLatin1String("Unexpected token type %1 in %2.") ++ .arg(q->tokenString(), contextString(context))); ++ return; ++ } ++ ++ if (type != QXmlStreamReader::DTD) ++ return; ++ ++ // Raise error on multiple DTD tokens ++ if (foundDTD) { ++ raiseError(QXmlStreamReader::UnexpectedElementError, ++ QLatin1String("Found second DTD token in %1.").arg(contextString(context))); ++ } else { ++ foundDTD = true; ++ } ++} ++ + /*! + \fn bool QXmlStreamAttributes::hasAttribute(const QString &qualifiedName) const + \since 4.5 +diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h +index 8f7c9e0..708059b 100644 +--- a/src/corelib/serialization/qxmlstream_p.h ++++ b/src/corelib/serialization/qxmlstream_p.h +@@ -804,6 +804,17 @@ + #endif + bool atEnd; + ++ enum class XmlContext ++ { ++ Prolog, ++ Body, ++ }; ++ ++ XmlContext currentContext = XmlContext::Prolog; ++ bool foundDTD = false; ++ bool isValidToken(QXmlStreamReader::TokenType type); ++ void checkToken(); ++ + /*! + \sa setType() + */ diff --git a/ports/qt5-base/portfile.cmake b/ports/qt5-base/portfile.cmake index 5a580042ca..45fce5acd9 100644 --- a/ports/qt5-base/portfile.cmake +++ b/ports/qt5-base/portfile.cmake @@ -47,10 +47,13 @@ endif() qt_download_submodule( OUT_SOURCE_PATH SOURCE_PATH PATCHES # CVE fixes from https://download.qt.io/official_releases/qt/5.15/ + patches/CVE-2023-24607-qtbase-5.15.diff patches/CVE-2023-32762-qtbase-5.15.diff patches/CVE-2023-32763-qtbase-5.15.diff patches/CVE-2023-33285-qtbase-5.15.diff patches/CVE-2023-34410-qtbase-5.15.diff + patches/CVE-2023-37369-qtbase-5.15.diff + patches/CVE-2023-38197-qtbase-5.15.diff patches/winmain_pro.patch #Moves qtmain to manual-link patches/windows_prf.patch #fixes the qtmain dependency due to the above move diff --git a/ports/qt5-base/vcpkg.json b/ports/qt5-base/vcpkg.json index ce060a7043..cc615e2975 100644 --- a/ports/qt5-base/vcpkg.json +++ b/ports/qt5-base/vcpkg.json @@ -1,7 +1,7 @@ { "name": "qt5-base", "version": "5.15.10", - "port-version": 3, + "port-version": 4, "description": "Qt5 Application Framework Base Module. Includes Core, GUI, Widgets, Networking, SQL, Concurrent and other essential qt components.", "homepage": "https://www.qt.io/", "license": null, diff --git a/versions/baseline.json b/versions/baseline.json index d60b401838..7b837a0c6d 100644 --- a/versions/baseline.json +++ b/versions/baseline.json @@ -6626,7 +6626,7 @@ }, "qt5-base": { "baseline": "5.15.10", - "port-version": 3 + "port-version": 4 }, "qt5-canvas3d": { "baseline": "0", diff --git a/versions/q-/qt5-base.json b/versions/q-/qt5-base.json index 640d700bbd..7b7987b38e 100644 --- a/versions/q-/qt5-base.json +++ b/versions/q-/qt5-base.json @@ -1,5 +1,10 @@ { "versions": [ + { + "git-tree": "bd1318b6c207ed69b8a5c5ab75f143263b6bc522", + "version": "5.15.10", + "port-version": 4 + }, { "git-tree": "527c937f1bc15252b1397447900bc93c13f16b5e", "version": "5.15.10",