From 50227c60c9e2c822a5da8945ef9a6d442b16acbb Mon Sep 17 00:00:00 2001 From: Schrijvers Luc Date: Fri, 11 Jul 2025 16:09:26 +0200 Subject: [PATCH] qt6_imageformats, add CVE patch for 6.9.0 (#12570) --- .../CVE-2025-5683-qtimageformats-6.9.patch | 28 +++++++++++++++++++ .../qt6_imageformats-6.9.0.recipe | 3 +- 2 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 dev-qt/qt6-imageformats/patches/CVE-2025-5683-qtimageformats-6.9.patch diff --git a/dev-qt/qt6-imageformats/patches/CVE-2025-5683-qtimageformats-6.9.patch b/dev-qt/qt6-imageformats/patches/CVE-2025-5683-qtimageformats-6.9.patch new file mode 100644 index 000000000..278d6ac35 --- /dev/null +++ b/dev-qt/qt6-imageformats/patches/CVE-2025-5683-qtimageformats-6.9.patch @@ -0,0 +1,28 @@ +diff --git a/src/plugins/imageformats/icns/qicnshandler.cpp b/src/plugins/imageformats/icns/qicnshandler.cpp +index 6cf74b219a1..501394deede 100644 +--- a/src/plugins/imageformats/icns/qicnshandler.cpp ++++ b/src/plugins/imageformats/icns/qicnshandler.cpp +@@ -324,8 +324,11 @@ static inline bool isPowOf2OrDividesBy16(quint32 u, qreal r) + + static inline bool isBlockHeaderValid(const ICNSBlockHeader &header, quint64 bound = 0) + { +- return header.ostype != 0 && (bound == 0 +- || qBound(quint64(ICNSBlockHeaderSize), quint64(header.length), bound) == header.length); ++ return header.ostype != 0 && ++ (bound == 0 || ++ // qBound can be used but requires checking the limits first ++ // this requires less operations ++ (ICNSBlockHeaderSize <= header.length && header.length <= bound)); + } + + static inline bool isIconCompressed(const ICNSEntry &icon) +@@ -870,7 +873,7 @@ bool QICNSHandler::scanDevice() + return false; + + const qint64 blockDataOffset = device()->pos(); +- if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize + filelength - blockDataOffset)) { ++ if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize - blockDataOffset + filelength)) { + qWarning("QICNSHandler::scanDevice(): Failed, bad header at pos %s. OSType \"%s\", length %u", + QByteArray::number(blockDataOffset).constData(), + nameFromOSType(blockHeader.ostype).constData(), blockHeader.length); + diff --git a/dev-qt/qt6-imageformats/qt6_imageformats-6.9.0.recipe b/dev-qt/qt6-imageformats/qt6_imageformats-6.9.0.recipe index 21d6a1027..cdedc43bf 100644 --- a/dev-qt/qt6-imageformats/qt6_imageformats-6.9.0.recipe +++ b/dev-qt/qt6-imageformats/qt6_imageformats-6.9.0.recipe @@ -8,11 +8,12 @@ COPYRIGHT="2015-2025 The Qt Company Ltd." LICENSE="GNU LGPL v2.1 GNU LGPL v3 GNU FDL v1" -REVISION="1" +REVISION="2" QT_MIRROR_URI="https://qt-mirror.dannhauer.de/archive" SOURCE_URI="$QT_MIRROR_URI/qt/${portVersion%.*}/$portVersion/submodules/qtimageformats-everywhere-src-$portVersion.tar.xz" CHECKSUM_SHA256="2047c6242a57bf97cf40079fa9f91752c137cd9ae84760faa9a2e5e8a440606f" SOURCE_DIR="qtimageformats-everywhere-src-$portVersion" +PATCHES="CVE-2025-5683-qtimageformats-6.9.patch" ARCHITECTURES="?all !x86_gcc2" SECONDARY_ARCHITECTURES="?x86"