summaryrefslogtreecommitdiff
path: root/dev-qt
diff options
context:
space:
mode:
Diffstat (limited to 'dev-qt')
-rw-r--r--dev-qt/qtsvg/files/qtsvg-6.10.3-CVE-2026-6210.patch43
-rw-r--r--dev-qt/qtsvg/qtsvg-6.10.3-r1.ebuild (renamed from dev-qt/qtsvg/qtsvg-6.10.3.ebuild)4
-rw-r--r--dev-qt/qtsvg/qtsvg-6.11.0-r1.ebuild (renamed from dev-qt/qtsvg/qtsvg-6.11.0.ebuild)4
3 files changed, 51 insertions, 0 deletions
diff --git a/dev-qt/qtsvg/files/qtsvg-6.10.3-CVE-2026-6210.patch b/dev-qt/qtsvg/files/qtsvg-6.10.3-CVE-2026-6210.patch
new file mode 100644
index 000000000000..cf10466a5191
--- /dev/null
+++ b/dev-qt/qtsvg/files/qtsvg-6.10.3-CVE-2026-6210.patch
@@ -0,0 +1,43 @@
+https://bugs.gentoo.org/974278
+https://codereview.qt-project.org/c/qt/qtsvg/+/732200
+--- a/src/svg/qsvgstructure.cpp
++++ b/src/svg/qsvgstructure.cpp
+@@ -415,7 +415,8 @@
+ const auto markers = markersForNode(node);
+ for (auto &i : markers) {
+- QSvgMarker *markNode = static_cast<QSvgMarker*>(node->document()->namedNode(i.markerId));
+- if (!markNode)
++ QSvgNode *referencedNode = node->document()->namedNode(i.markerId);
++ if (!referencedNode || referencedNode->type() != QSvgNode::Marker)
+ continue;
++ QSvgMarker *markNode = static_cast<QSvgMarker *>(referencedNode);
+
+ p->save();
+@@ -722,6 +723,7 @@
+ // Chrome seems to return the mask of the mask if a mask is set on the mask
+ if (this->hasMask()) {
+- QSvgMask *maskNode = static_cast<QSvgMask*>(document()->namedNode(this->maskId()));
+- if (maskNode) {
++ QSvgNode *referencedNode = document()->namedNode(this->maskId());
++ if (referencedNode && referencedNode->type() == QSvgNode::Mask) {
++ QSvgMask *maskNode = static_cast<QSvgMask *>(referencedNode);
+ QRectF boundsRect;
+ return maskNode->createMask(p, states, localRect, &boundsRect);
+--- a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
++++ b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
+@@ -1868,4 +1868,15 @@
+ QTest::newRow("excessive moveto in path") // id=406541912
+ << R"(<svg><path stroke="#000" d="M- 7e8t9 ."/><marker id="c"/><use href=" c"/></svg>)"_ba;
++ // Bad-cast to QSvgMarker from QSvgLine -> Heap-buffer-overflow
++ QTest::newRow("line-as-marker") // id=496327371
++ << R"-(<svg><line x1="4" id="lledr" marker-end="url(#lledr)" stroke="#00f"/></svg>)-"_ba;
++ QTest::newRow("line-as-mask") // modeled after 496327371 to test similar problem, needs UBSAN
++ << R"-(<svg>
++ <defs>
++ <line x1="4" id="line"/>
++ <mask id="mask" width="2" height="2" mask="url(#line)"/>
++ </defs>
++ <rect width="2" height="2" mask="url(#mask)"/>
++ </svg>)-"_ba;
+ }
+
diff --git a/dev-qt/qtsvg/qtsvg-6.10.3.ebuild b/dev-qt/qtsvg/qtsvg-6.10.3-r1.ebuild
index 81e841a74b43..46c9fb4a5ce9 100644
--- a/dev-qt/qtsvg/qtsvg-6.10.3.ebuild
+++ b/dev-qt/qtsvg/qtsvg-6.10.3-r1.ebuild
@@ -17,6 +17,10 @@ RDEPEND="
"
DEPEND="${RDEPEND}"
+PATCHES=(
+ "${FILESDIR}"/${PN}-6.10.3-CVE-2026-6210.patch
+)
+
src_test() {
# tst_QSvgRenderer::testFeColorMatrix (new in 6.7, likely low impact)
# is known failing on BE, could use more looking into (bug #935356)
diff --git a/dev-qt/qtsvg/qtsvg-6.11.0.ebuild b/dev-qt/qtsvg/qtsvg-6.11.0-r1.ebuild
index 929ff37ace4a..78c6730e4012 100644
--- a/dev-qt/qtsvg/qtsvg-6.11.0.ebuild
+++ b/dev-qt/qtsvg/qtsvg-6.11.0-r1.ebuild
@@ -17,6 +17,10 @@ RDEPEND="
"
DEPEND="${RDEPEND}"
+PATCHES=(
+ "${FILESDIR}"/${PN}-6.10.3-CVE-2026-6210.patch
+)
+
src_test() {
# tst_QSvgRenderer::testFeColorMatrix (new in 6.7, likely low impact)
# is known failing on BE, could use more looking into (bug #935356)
generated by cgit v1.3.1 (git 2.54.0) at 2026-06-01 13:14:21 +0000