Patched CVE-2021-38593 in qt5-qtbase. (#7907)

PawelWMS · Sumynwa · web-flow · commit efe620c3fc28 · 2024-02-15T12:39:23.000-08:00
Co-authored-by: Sumynwa &lt;sumedh.alok@gmail.com&gt;
diff --git a/SPECS/qt5-qtbase/CVE-2021-38593.patch b/SPECS/qt5-qtbase/CVE-2021-38593.patch
@@ -0,0 +1,289 @@
+From 7f345f2a1c8d9f60c60e8a9d8cc90729794bd2f1 Mon Sep 17 00:00:00 2001
+From: Eirik Aavitsland <eirik.aavitsland@qt.io>
+Date: Tue, 13 Apr 2021 14:23:45 +0200
+Subject: Avoid processing-intensive painting of high number of tiny dashes
+
+When stroking a dashed path, an unnecessary amount of processing would
+be spent if there is a huge number of dashes visible, e.g. because of
+scaling. Since the dashes are too small to be indivdually visible
+anyway, just replace with a semi-transparent solid line for such
+cases.
+
+Change-Id: I9e9f7861257ad5bce46a0cf113d1a9d7824911e6
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+(cherry picked from commit f4d791b330d02777fcaf02938732892eb3167e9b)
+Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
+---
+ src/gui/painting/qpaintengineex.cpp              | 44 +++++++++++++++++++-----
+ tests/auto/other/lancelot/scripts/tinydashes.qps | 34 ++++++++++++++++++
+ 2 files changed, 69 insertions(+), 9 deletions(-)
+ create mode 100644 tests/auto/other/lancelot/scripts/tinydashes.qps
+
+diff --git a/src/gui/painting/qpaintengineex.cpp b/src/gui/painting/qpaintengineex.cpp
+index f4cbf15fc7..f04e3a498d 100644
+--- a/src/gui/painting/qpaintengineex.cpp
++++ b/src/gui/painting/qpaintengineex.cpp
+@@ -385,7 +385,7 @@ QPainterState *QPaintEngineEx::createState(QPainterState *orig) const
+ 
+ Q_GUI_EXPORT extern bool qt_scaleForTransform(const QTransform &transform, qreal *scale); // qtransform.cpp
+ 
+-void QPaintEngineEx::stroke(const QVectorPath &path, const QPen &pen)
++void QPaintEngineEx::stroke(const QVectorPath &path, const QPen &inPen)
+ {
+ #ifdef QT_DEBUG_DRAW
+     qDebug() << "QPaintEngineEx::stroke()" << pen;
+@@ -403,6 +403,38 @@ void QPaintEngineEx::stroke(const QVectorPath &path, const QPen &pen)
+         d->stroker.setCubicToHook(qpaintengineex_cubicTo);
+     }
+ 
++    QRectF clipRect;
++    QPen pen = inPen;
++    if (pen.style() > Qt::SolidLine) {
++        QRectF cpRect = path.controlPointRect();
++        const QTransform &xf = state()->matrix;
++        if (qt_pen_is_cosmetic(pen, state()->renderHints)) {
++            clipRect = d->exDeviceRect;
++            cpRect.translate(xf.dx(), xf.dy());
++        } else {
++            clipRect = xf.inverted().mapRect(QRectF(d->exDeviceRect));
++        }
++        // Check to avoid generating unwieldy amount of dashes that will not be visible anyway
++        QRectF extentRect = cpRect & clipRect;
++        qreal extent = qMax(extentRect.width(), extentRect.height());
++        qreal patternLength = 0;
++        const QVector<qreal> pattern = pen.dashPattern();
++        const int patternSize = qMin(pattern.size(), 32);
++        for (int i = 0; i < patternSize; i++)
++            patternLength += qMax(pattern.at(i), qreal(0));
++        if (pen.widthF())
++            patternLength *= pen.widthF();
++        if (qFuzzyIsNull(patternLength)) {
++            pen.setStyle(Qt::NoPen);
++        } else if (extent / patternLength > 10000) {
++            // approximate stream of tiny dashes with semi-transparent solid line
++            pen.setStyle(Qt::SolidLine);
++            QColor color(pen.color());
++            color.setAlpha(color.alpha() / 2);
++            pen.setColor(color);
++        }
++    }
++
+     if (!qpen_fast_equals(pen, d->strokerPen)) {
+         d->strokerPen = pen;
+         d->stroker.setJoinStyle(pen.joinStyle());
+@@ -430,14 +462,8 @@ void QPaintEngineEx::stroke(const QVectorPath &path, const QPen &pen)
+         return;
+     }
+ 
+-    if (pen.style() > Qt::SolidLine) {
+-        if (qt_pen_is_cosmetic(pen, state()->renderHints)){
+-            d->activeStroker->setClipRect(d->exDeviceRect);
+-        } else {
+-            QRectF clipRect = state()->matrix.inverted().mapRect(QRectF(d->exDeviceRect));
+-            d->activeStroker->setClipRect(clipRect);
+-        }
+-    }
++    if (!clipRect.isNull())
++        d->activeStroker->setClipRect(clipRect);
+ 
+     const QPainterPath::ElementType *types = path.elements();
+     const qreal *points = path.points();
+diff --git a/tests/auto/other/lancelot/scripts/tinydashes.qps b/tests/auto/other/lancelot/scripts/tinydashes.qps
+new file mode 100644
+index 0000000000..d41ced7f5f
+--- /dev/null
++++ b/tests/auto/other/lancelot/scripts/tinydashes.qps
+@@ -0,0 +1,34 @@
++# Version: 1
++# CheckVsReference: 5%
++
++path_addEllipse mypath 20.0 20.0 200.0 200.0
++
++save
++setPen blue 20 SolidLine FlatCap
++pen_setCosmetic true
++pen_setDashPattern [ 0.0004 0.0004 ]
++setBrush yellow
++
++drawPath mypath
++translate 300 0
++setRenderHint Antialiasing true
++drawPath mypath
++restore
++
++path_addEllipse bigpath 200000.0 200000.0 2000000.0 2000000.0
++
++setPen blue 20 DotLine FlatCap
++setBrush yellow
++
++save
++translate 0 300
++scale 0.0001 0.00011
++drawPath bigpath
++restore
++
++save
++translate 300 300
++setRenderHint Antialiasing true
++scale 0.0001 0.00011
++drawPath bigpath
++restore
+-- 
+From 9378ba2ae857df7e21a384e514650823db2355c3 Mon Sep 17 00:00:00 2001
+From: Eirik Aavitsland <eirik.aavitsland@qt.io>
+Date: Fri, 23 Jul 2021 15:53:56 +0200
+Subject: Improve fix for avoiding huge number of tiny dashes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some pathological cases were not caught by the previous fix.
+
+Fixes: QTBUG-95239
+Change-Id: I0337ee3923ff93ccb36c4d7b810a9c0667354cc5
+Reviewed-by: Robert Löhning <robert.loehning@qt.io>
+(cherry picked from commit 6b400e3147dcfd8cc3a393ace1bd118c93762e0c)
+Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
+---
+ src/gui/painting/qpaintengineex.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/gui/painting/qpaintengineex.cpp b/src/gui/painting/qpaintengineex.cpp
+index f04e3a498d..bd6bdf7be1 100644
+--- a/src/gui/painting/qpaintengineex.cpp
++++ b/src/gui/painting/qpaintengineex.cpp
+@@ -426,7 +426,7 @@ void QPaintEngineEx::stroke(const QVectorPath &path, const QPen &inPen)
+             patternLength *= pen.widthF();
+         if (qFuzzyIsNull(patternLength)) {
+             pen.setStyle(Qt::NoPen);
+-        } else if (extent / patternLength > 10000) {
++        } else if (qFuzzyIsNull(extent) || extent / patternLength > 10000) {
+             // approximate stream of tiny dashes with semi-transparent solid line
+             pen.setStyle(Qt::SolidLine);
+             QColor color(pen.color());
+-- 
+From 81998f50d039a6317a3130ace8d4ad304f9acbbf Mon Sep 17 00:00:00 2001
+From: Eirik Aavitsland <eirik.aavitsland@qt.io>
+Date: Fri, 30 Jul 2021 13:03:49 +0200
+Subject: Refix for avoiding huge number of tiny dashes
+
+Previous fix hit too widely so some valid horizontal and vertical
+lines were affected; the root problem being that such lines have an
+empty control point rect (width or height is 0). Fix by caculating in
+the pen width.
+
+Change-Id: I7a436e873f6d485028f6759d0e2c6456f07eebdc
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+(cherry picked from commit 84aba80944a2e1c3058d7a1372e0e66676411884)
+Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
+---
+ src/gui/painting/qpaintengineex.cpp               |  8 +++---
+ tests/auto/gui/painting/qpainter/tst_qpainter.cpp | 31 +++++++++++++++++++++++
+ 2 files changed, 35 insertions(+), 4 deletions(-)
+
+diff --git a/src/gui/painting/qpaintengineex.cpp b/src/gui/painting/qpaintengineex.cpp
+index bd6bdf7be1..d8223c1b3e 100644
+--- a/src/gui/painting/qpaintengineex.cpp
++++ b/src/gui/painting/qpaintengineex.cpp
+@@ -415,18 +415,18 @@ void QPaintEngineEx::stroke(const QVectorPath &path, const QPen &inPen)
+             clipRect = xf.inverted().mapRect(QRectF(d->exDeviceRect));
+         }
+         // Check to avoid generating unwieldy amount of dashes that will not be visible anyway
+-        QRectF extentRect = cpRect & clipRect;
++        qreal pw = pen.widthF() ? pen.widthF() : 1;
++        QRectF extentRect = cpRect.adjusted(-pw, -pw, pw, pw) & clipRect;
+         qreal extent = qMax(extentRect.width(), extentRect.height());
+         qreal patternLength = 0;
+         const QVector<qreal> pattern = pen.dashPattern();
+         const int patternSize = qMin(pattern.size(), 32);
+         for (int i = 0; i < patternSize; i++)
+             patternLength += qMax(pattern.at(i), qreal(0));
+-        if (pen.widthF())
+-            patternLength *= pen.widthF();
++        patternLength *= pw;
+         if (qFuzzyIsNull(patternLength)) {
+             pen.setStyle(Qt::NoPen);
+-        } else if (qFuzzyIsNull(extent) || extent / patternLength > 10000) {
++        } else if (extent / patternLength > 10000) {
+             // approximate stream of tiny dashes with semi-transparent solid line
+             pen.setStyle(Qt::SolidLine);
+             QColor color(pen.color());
+diff --git a/tests/auto/gui/painting/qpainter/tst_qpainter.cpp b/tests/auto/gui/painting/qpainter/tst_qpainter.cpp
+index bc0baed15c..697dcfa4a4 100644
+--- a/tests/auto/gui/painting/qpainter/tst_qpainter.cpp
++++ b/tests/auto/gui/painting/qpainter/tst_qpainter.cpp
+@@ -300,6 +300,7 @@ private slots:
+     void fillPolygon();
+ 
+     void drawImageAtPointF();
++    void scaledDashes();
+ 
+ private:
+     void fillData();
+@@ -5308,6 +5309,36 @@ void tst_QPainter::drawImageAtPointF()
+     paint.end();
+ }
+ 
++void tst_QPainter::scaledDashes()
++{
++    // Test that we do not hit the limit-huge-number-of-dashes path
++    QRgb fore = qRgb(0, 0, 0xff);
++    QRgb back = qRgb(0xff, 0xff, 0);
++    QImage image(5, 32, QImage::Format_RGB32);
++    image.fill(back);
++    QPainter p(&image);
++    QPen pen(QColor(fore), 3, Qt::DotLine);
++    p.setPen(pen);
++    p.scale(1, 2);
++    p.drawLine(2, 0, 2, 16);
++    p.end();
++
++    bool foreFound = false;
++    bool backFound = false;
++    int i = 0;
++    while (i < 32 && (!foreFound || !backFound)) {
++        QRgb pix = image.pixel(3, i);
++        if (pix == fore)
++            foreFound = true;
++        else if (pix == back)
++            backFound = true;
++        i++;
++    }
++
++    QVERIFY(foreFound);
++    QVERIFY(backFound);
++}
++
+ QTEST_MAIN(tst_QPainter)
+ 
+ #include "tst_qpainter.moc"
+-- 
+From cca8ed0547405b1c018e995ad366ba0ab4c2a0e8 Mon Sep 17 00:00:00 2001
+From: Zhang Hao <zhanghao@uniontech.com>
+Date: Tue, 7 Sep 2021 14:50:22 +0800
+Subject: QPaintEngineEx: solve compile error
+
+Use the same variable name in function
+Amends 6869d2463a2e0d71bd04dbc82f5d6ef4933dc510
+
+Pick-to: 6.1 6.2
+Change-Id: If710a53993e84d048f9052f4fcf92eb57635f585
+Reviewed-by: Giuseppe D'Angelo <giuseppe.dangelo@kdab.com>
+---
+ src/gui/painting/qpaintengineex.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/gui/painting/qpaintengineex.cpp b/src/gui/painting/qpaintengineex.cpp
+index 3577d71869..b6c0a9e1ff 100644
+--- a/src/gui/painting/qpaintengineex.cpp
++++ b/src/gui/painting/qpaintengineex.cpp
+@@ -388,7 +388,7 @@ Q_GUI_EXPORT extern bool qt_scaleForTransform(const QTransform &transform, qreal
+ void QPaintEngineEx::stroke(const QVectorPath &path, const QPen &inPen)
+ {
+ #ifdef QT_DEBUG_DRAW
+-    qDebug() << "QPaintEngineEx::stroke()" << pen;
++    qDebug() << "QPaintEngineEx::stroke()" << inPen;
+ #endif
+ 
+     Q_D(QPaintEngineEx);
+-- 
diff --git a/SPECS/qt5-qtbase/qt5-qtbase.spec b/SPECS/qt5-qtbase/qt5-qtbase.spec
@@ -33,7 +33,7 @@
 Name:         qt5-qtbase
 Summary:      Qt5 - QtBase components
 Version:      5.12.11
-Release:      10%{?dist}
+Release:      11%{?dist}
 # See LICENSE.GPL3-EXCEPT.txt, for exception details
 License:      GFDL AND LGPLv3 AND GPLv2 AND GPLv3 with exceptions AND QT License Agreement 4.0
 Vendor:       Microsoft Corporation
@@ -148,6 +148,14 @@ Patch87: CVE-2023-38197.patch
 # Fix CVE-2023-51714
 Patch88: CVE-2023-51714.patch
 
+# Fix taken from Ubuntu's backport: https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1950193.
+# It's a combination of 4 commits:
+# - https://code.qt.io/cgit/qt/qtbase.git/commit/?id=9378ba2ae857df7e
+# - https://code.qt.io/cgit/qt/qtbase.git/commit/?id=81998f50d039a631
+# - https://code.qt.io/cgit/qt/qtbase.git/commit/?id=7f345f2a1c8d9f60
+# - https://code.qt.io/cgit/qt/qtbase.git/commit/?id=cca8ed0547405b1c
+Patch89: CVE-2021-38593.patch
+
 # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires.
 # Those themes are there for platform integration. If the required libraries are
 # not there, the platform to integrate with isn't either. Then Qt will just
@@ -257,6 +265,7 @@ Qt5 libraries used for drawing widgets and OpenGL items.
 %patch86 -p1
 %patch87 -p1
 %patch88 -p1
+%patch89 -p1
 
 ## upstream patches
 
@@ -762,6 +771,9 @@ fi
 %{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QXdgDesktopPortalThemePlugin.cmake
 
 %changelog
+* Thu Feb 15 2024 Sumedh Sharma <sumsharma@microsoft.com> - 5.12.11-11
+- Add patch to resolve CVE-2021-38593, used Ubuntu's patch for guidance.
+
 * Fri Jan 05 2024 Henry Beberman <henry.beberman@microsoft.com> - 5.12.11-10
 - Add patch to resolve CVE-2023-51714
 
