dev-qt/qtcore: Fix CVE-2019-18281

Bug: https://bugs.gentoo.org/699226 Package-Manager: Portage-2.3.85, Repoman-2.3.20 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>
author: Andreas Sturmlechner <asturm@gentoo.org> 2020-01-26 00:29:54 +0100
committer: Andreas Sturmlechner <asturm@gentoo.org> 2020-01-26 00:56:18 +0100
commit: f0f2e0e6f77f988b30bcaeef18e2d4e28708f7b1 (patch)
tree: f53ffc6c53ba16faf7bf4c96127d8d467f077257 /dev-qt
parent: app-misc/timew: Bump version (diff)
download: gentoo-f0f2e0e6f77f988b30bcaeef18e2d4e28708f7b1.tar.gz
gentoo-f0f2e0e6f77f988b30bcaeef18e2d4e28708f7b1.tar.bz2
gentoo-f0f2e0e6f77f988b30bcaeef18e2d4e28708f7b1.zip
2 files changed, 184 insertions, 0 deletions
diff --git a/dev-qt/qtcore/files/qtcore-5.12.3-CVE-2019-18281.patch b/dev-qt/qtcore/files/qtcore-5.12.3-CVE-2019-18281.patch
new file mode 100644
index 000000000000..055794b51964
--- /dev/null
+++ b/dev-qt/qtcore/files/qtcore-5.12.3-CVE-2019-18281.patch
@@ -0,0 +1,98 @@
+From 1232205e32464d90e871f39eb1e14fcf9b78a163 Mon Sep 17 00:00:00 2001
+From: Rainer Keller <Rainer.Keller@qt.io>
+Date: Tue, 27 Aug 2019 14:44:48 +0200
+Subject: [PATCH] Fix crash when text contains too many directional chars
+
+In case a text to be layouted contains more than 128 directional characters
+it causes the application to crash
+
+The function initScriptAnalysisAndIsolatePairs() collects information of
+RTL/LTR chaaracters into vector "isolatePairs". The size of the vector is
+capped to 128. Later the function generateDirectionalRuns() iterates
+the text again and tries to access items from the previously capped vector
+above the upper bound.
+
+Task-number: QTBUG-77819
+Change-Id: Ibb7bf12c12b1db22f43ff46236518da3fdeed26a
+Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
+---
+ src/gui/text/qtextengine.cpp                        | 15 +++++++--------
+ tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp | 17 +++++++++++++++++
+ 2 files changed, 24 insertions(+), 8 deletions(-)
+
+diff --git a/src/gui/text/qtextengine.cpp b/src/gui/text/qtextengine.cpp
+index 2da13289bfd..a7834587b1e 100644
+--- a/src/gui/text/qtextengine.cpp
++++ b/src/gui/text/qtextengine.cpp
+@@ -399,6 +399,7 @@ struct QBidiAlgorithm {
+                         analysis[i].bidiDirection = (level & 1) ? QChar::DirR : QChar::DirL;
+                     runHasContent = true;
+                     lastRunWithContent = -1;
++                    ++isolatePairPosition;
+                 }
+                 int runBeforeIsolate = runs.size();
+                 ushort newLevel = isRtl ? ((stack.top().level + 1) | 1) : ((stack.top().level + 2) & ~1);
+@@ -440,21 +441,19 @@ struct QBidiAlgorithm {
+                 doEmbed(true, true, false);
+                 break;
+             case QChar::DirLRI:
+-                Q_ASSERT(isolatePairs.at(isolatePairPosition).start == i);
+                 doEmbed(false, false, true);
+-                ++isolatePairPosition;
+                 break;
+             case QChar::DirRLI:
+-                Q_ASSERT(isolatePairs.at(isolatePairPosition).start == i);
+                 doEmbed(true, false, true);
+-                ++isolatePairPosition;
+                 break;
+             case QChar::DirFSI: {
+-                const auto &pair = isolatePairs.at(isolatePairPosition);
+-                Q_ASSERT(pair.start == i);
+-                bool isRtl = QStringView(text + pair.start + 1, pair.end - pair.start - 1).isRightToLeft();
++                bool isRtl = false;
++                if (isolatePairPosition < isolatePairs.size()) {
++                    const auto &pair = isolatePairs.at(isolatePairPosition);
++                    Q_ASSERT(pair.start == i);
++                    isRtl = QStringView(text + pair.start + 1, pair.end - pair.start - 1).isRightToLeft();
++                }
+                 doEmbed(isRtl, false, true);
+-                ++isolatePairPosition;
+                 break;
+             }
+ 
+diff --git a/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp b/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp
+index 9c477589f93..f0a32c2ed40 100644
+--- a/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp
++++ b/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp
+@@ -138,6 +138,7 @@ private slots:
+     void noModificationOfInputString();
+     void superscriptCrash_qtbug53911();
+     void showLineAndParagraphSeparatorsCrash();
++    void tooManyDirectionalCharctersCrash_qtbug77819();
+ 
+ private:
+     QFont testFont;
+@@ -2309,5 +2310,21 @@ void tst_QTextLayout::nbspWithFormat()
+     QCOMPARE(layout.lineAt(1).textLength(), s2.length() + 1 + s3.length());
+ }
+ 
++void tst_QTextLayout::tooManyDirectionalCharctersCrash_qtbug77819()
++{
++    QString data;
++    data += QString::fromUtf8("\xe2\x81\xa8"); // U+2068 FSI character
++    data += QString::fromUtf8("\xe2\x81\xa7"); // U+2067 RLI character
++
++    // duplicating the text
++    for (int i = 0; i < 10; i++)
++        data += data;
++
++    // Nothing to test. It must not crash in beginLayout().
++    QTextLayout tl(data);
++    tl.beginLayout();
++    tl.endLayout();
++}
++
+ QTEST_MAIN(tst_QTextLayout)
+ #include "tst_qtextlayout.moc"
+-- 
+2.16.3
diff --git a/dev-qt/qtcore/qtcore-5.12.3-r1.ebuild b/dev-qt/qtcore/qtcore-5.12.3-r1.ebuild
new file mode 100644
index 000000000000..ff88ef5f4ec7
--- /dev/null
+++ b/dev-qt/qtcore/qtcore-5.12.3-r1.ebuild
@@ -0,0 +1,86 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+QT5_MODULE="qtbase"
+inherit qt5-build
+
+DESCRIPTION="Cross-platform application development framework"
+
+if [[ ${QT5_BUILD_TYPE} == release ]]; then
+	KEYWORDS="~arm ~x86"
+fi
+
+IUSE="icu systemd"
+
+DEPEND="
+	dev-libs/double-conversion:=
+	dev-libs/glib:2
+	dev-libs/libpcre2[pcre16,unicode]
+	sys-libs/zlib:=
+	icu? ( dev-libs/icu:= )
+	!icu? ( virtual/libiconv )
+	systemd? ( sys-apps/systemd:= )
+"
+RDEPEND="${DEPEND}
+	!<dev-qt/qtcore-4.8.7-r4:4
+"
+
+QT5_TARGET_SUBDIRS=(
+	src/tools/bootstrap
+	src/tools/moc
+	src/tools/rcc
+	src/tools/qfloat16-tables
+	src/corelib
+	src/tools/qlalr
+	doc
+)
+
+QT5_GENTOO_PRIVATE_CONFIG=(
+	!:network
+	!:sql
+	!:testlib
+	!:xml
+)
+
+PATCHES=( "${FILESDIR}/${P}-CVE-2019-18281.patch" )
+
+src_prepare() {
+	# don't add -O3 to CXXFLAGS, bug 549140
+	sed -i -e '/CONFIG\s*+=/s/optimize_full//' src/corelib/corelib.pro || die
+
+	# fix missing qt_version_tag symbol w/ LTO, bug 674382
+	sed -i -e 's/^gcc:ltcg/gcc/' src/corelib/global/global.pri || die
+
+	qt5-build_src_prepare
+}
+
+src_configure() {
+	local myconf=(
+		-no-feature-statx	# bug 672856
+		$(qt_use icu)
+		$(qt_use !icu iconv)
+		$(qt_use systemd journald)
+	)
+	qt5-build_src_configure
+}
+
+src_install() {
+	qt5-build_src_install
+
+	local flags=(
+		DBUS FREETYPE IMAGEFORMAT_JPEG IMAGEFORMAT_PNG
+		OPENGL OPENSSL SSL WIDGETS
+	)
+
+	for flag in ${flags[@]}; do
+		cat >> "${D%/}"/${QT5_HEADERDIR}/QtCore/qconfig.h <<- _EOF_ || die
+
+			#if defined(QT_NO_${flag}) && defined(QT_${flag})
+			# undef QT_NO_${flag}
+			#elif !defined(QT_NO_${flag}) && !defined(QT_${flag})
+			# define QT_NO_${flag}
+			#endif
+		_EOF_
+	done
+}
author	Andreas Sturmlechner <asturm@gentoo.org>	2020-01-26 00:29:54 +0100
committer	Andreas Sturmlechner <asturm@gentoo.org>	2020-01-26 00:56:18 +0100
commit	f0f2e0e6f77f988b30bcaeef18e2d4e28708f7b1 (patch)
tree	f53ffc6c53ba16faf7bf4c96127d8d467f077257 /dev-qt
parent	app-misc/timew: Bump version (diff)
download	gentoo-f0f2e0e6f77f988b30bcaeef18e2d4e28708f7b1.tar.gz gentoo-f0f2e0e6f77f988b30bcaeef18e2d4e28708f7b1.tar.bz2 gentoo-f0f2e0e6f77f988b30bcaeef18e2d4e28708f7b1.zip