[AUTO-CHERRYPICK] [Medium] patch qtbase to fix CVE-2025-30348 - branch 3.0-dev (#13162)

Co-authored-by: jykanase <v-jykanase@microsoft.com>

Author: CBL-Mariner-Bot

SPECS/qtbase/CVE-2025-30348.patch

@@ -0,0 +1,114 @@
+From 5e8236ec5747f3ad038db3b9996e9c73d72fe668 Mon Sep 17 00:00:00 2001
+From: jykanase <v-jykanase@microsoft.com>
+Date: Wed, 26 Mar 2025 07:01:54 +0000
+Subject: [PATCH] CVE-2025-30348
+
+Source Link: https://github.com/qt/qtbase/commit/2ce08e3671b8d18b0284447e5908ce15e6e8f80f#diff-3d82d7c5074d1c9c1b8293c5d904f5c17e1797cc9f8369854c602e9fbc3ff13cL3621-R3596
+---
+ src/xml/dom/qdom.cpp | 88 ++++++++++++++++++++++++--------------------
+ 1 file changed, 49 insertions(+), 39 deletions(-)
+
+diff --git a/src/xml/dom/qdom.cpp b/src/xml/dom/qdom.cpp
+index 721981fd..29145f67 100644
+--- a/src/xml/dom/qdom.cpp
++++ b/src/xml/dom/qdom.cpp
+@@ -3612,47 +3612,57 @@ static QString encodeText(const QString &str,
+                           const bool performAVN = false,
+                           const bool encodeEOLs = false)
+ {
+-    QString retval(str);
+-    int len = retval.size();
+-    int i = 0;
+-
+-    while (i < len) {
+-        const QChar ati(retval.at(i));
+-
+-        if (ati == u'<') {
+-            retval.replace(i, 1, "&lt;"_L1);
+-            len += 3;
+-            i += 4;
+-        } else if (encodeQuotes && (ati == u'"')) {
+-            retval.replace(i, 1, "&quot;"_L1);
+-            len += 5;
+-            i += 6;
+-        } else if (ati == u'&') {
+-            retval.replace(i, 1, "&amp;"_L1);
+-            len += 4;
+-            i += 5;
+-        } else if (ati == u'>' && i >= 2 && retval[i - 1] == u']' && retval[i - 2] == u']') {
+-            retval.replace(i, 1, "&gt;"_L1);
+-            len += 3;
+-            i += 4;
+-        } else if (performAVN &&
+-                   (ati == QChar(0xA) ||
+-                    ati == QChar(0xD) ||
+-                    ati == QChar(0x9))) {
+-            const QString replacement(u"&#x"_s + QString::number(ati.unicode(), 16) + u';');
+-            retval.replace(i, 1, replacement);
+-            i += replacement.size();
+-            len += replacement.size() - 1;
+-        } else if (encodeEOLs && ati == QChar(0xD)) {
+-            retval.replace(i, 1, "&#xd;"_L1); // Replace a single 0xD with a ref for 0xD
+-            len += 4;
+-            i += 5;
+-        } else {
+-            ++i;
++    QString retval;
++    qsizetype start = 0;
++    auto appendToOutput = [&](qsizetype cur, const auto &replacement)
++    {
++        if (start < cur) {
++            retval.reserve(str.size() + replacement.size());
++            retval.append(QStringView(str).first(cur).sliced(start));
++        }
++        // Skip over str[cur], replaced by replacement
++        start = cur + 1;
++        retval.append(replacement);
++    };
++
++    const qsizetype len = str.size();
++    for (qsizetype cur = 0; cur < len; ++cur) {
++        switch (str[cur].unicode()) {
++            case u'<':
++                appendToOutput(cur, "&lt;"_L1);
++                break;
++            case u'"':
++                if (encodeQuotes)
++                    appendToOutput(cur, "&quot;"_L1);
++                break;
++            case u'&':
++                appendToOutput(cur, "&amp;"_L1);
++                break;
++            case u'>':
++                if (cur >= 2 && str[cur - 1] == u']' && str[cur - 2] == u']')
++                    appendToOutput(cur, "&gt;"_L1);
++                break;
++            case u'\r':
++                if (performAVN || encodeEOLs)
++                    appendToOutput(cur, "&#xd;"_L1);    // \r == 0x0d
++                break;
++            case u'\n':
++                if (performAVN)
++                    appendToOutput(cur, "&#xa;"_L1);    // \n == 0x0a
++                break;
++            case u'\t':
++                if (performAVN)
++                    appendToOutput(cur, "&#x9;"_L1);    // \t == 0x09
++                break;
++            default:
++                break;
+         }
+     }
+-
+-    return retval;
++    if (start > 0) {
++        retval.append(QStringView(str).first(len).sliced(start));
++        return retval;
++    }
++    return str;
+ }
+ 
+ void QDomAttrPrivate::save(QTextStream& s, int, int) const
+-- 
+2.45.2
+

SPECS/qtbase/qtbase.spec

@@ -35,7 +35,7 @@
 Name:         qtbase
 Summary:      Qt6 - QtBase components
 Version:      6.6.3
-Release:      2%{?dist}
+Release:      3%{?dist}
 # See LICENSE.GPL3-EXCEPT.txt, for exception details
 License:      GFDL AND LGPLv3 AND GPLv2 AND GPLv3 with exceptions AND QT License Agreement 4.0
 Vendor:       Microsoft Corporation
@@ -97,6 +97,7 @@ Patch61: qtbase-cxxflag.patch
 
 # fix for new mariadb
 Patch65: qtbase-mysql.patch
+Patch66: CVE-2025-30348.patch
 
 # Do not check any files in %%{_qt_plugindir}/platformthemes/ for requires.
 # Those themes are there for platform integration. If the required libraries are
@@ -701,6 +702,9 @@ fi
 %{_qt_plugindir}/platformthemes/libqxdgdesktopportal.so
 
 %changelog
+* Wed Mar 26 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 6.6.3-3
+- Fix CVE-2025-30348
+
 * Thu Jan 16 2025 Lanze Liu <lanzeliu@micrsoft.com> - 6.6.3-2
 - Added a patch for addressing CVE-2024-56732