<pre style='margin:0'>
Renee Otten (reneeotten) pushed a commit to branch master
in repository macports-ports.
</pre>
<p><a href="https://github.com/macports/macports-ports/commit/59ad1e9f75588a69a30eb822b335660b5a2e8796">https://github.com/macports/macports-ports/commit/59ad1e9f75588a69a30eb822b335660b5a2e8796</a></p>
<pre style="white-space: pre; background: #F8F8F8">The following commit(s) were added to refs/heads/master by this push:
<span style='display:block; white-space:pre;color:#404040;'> new 59ad1e9f755 qt6-qtbase: apply security patches
</span>59ad1e9f755 is described below
<span style='display:block; white-space:pre;color:#808000;'>commit 59ad1e9f75588a69a30eb822b335660b5a2e8796
</span>Author: Christopher Chavez <chrischavez@gmx.us>
AuthorDate: Mon Feb 19 10:52:47 2024 -0600
<span style='display:block; white-space:pre;color:#404040;'> qt6-qtbase: apply security patches
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> Also avoid fuzz in existing patch
</span>---
aqua/qt6/Portfile | 12 +-
aqua/qt6/files/CVE-2023-32762-qtbase.diff | 13 +
aqua/qt6/files/CVE-2023-32763-qtbase.diff | 55 ++++
aqua/qt6/files/CVE-2023-33285-qtbase.diff | 70 +++++
aqua/qt6/files/CVE-2023-37369-qtbase.diff | 189 +++++++++++++
aqua/qt6/files/CVE-2023-38197-qtbase.diff | 217 +++++++++++++++
aqua/qt6/files/CVE-2023-51714-qtbase.diff | 86 ++++++
aqua/qt6/files/CVE-2024-25580-qtbase.diff | 325 +++++++++++++++++++++++
aqua/qt6/files/patch-qtbase-macos_10.14_sdk.diff | 3 +-
9 files changed, 968 insertions(+), 2 deletions(-)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/aqua/qt6/Portfile b/aqua/qt6/Portfile
</span><span style='display:block; white-space:pre;color:#808080;'>index 5f6a0b5fa15..5709fe149d8 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/aqua/qt6/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/aqua/qt6/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -106,7 +106,7 @@ array set modules {
</span> "Qt OpenGL" "Qt Platform Headers" "Qt Print Support" "Qt XML"}
""
"variant overrides: "
<span style='display:block; white-space:pre;background:#ffe0e0;'>- "revision 5"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "revision 6"
</span> "License: "
}
qtsvg {
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1035,6 +1035,16 @@ subport ${name}-qtpositioning {
</span> }
if { ${subport} eq "${name}-qtbase" || ${subport} eq "${name}-qtbase-docs" } {
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ patchfiles-append {*}{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CVE-2023-32762-qtbase.diff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CVE-2023-32763-qtbase.diff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CVE-2023-33285-qtbase.diff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CVE-2023-37369-qtbase.diff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CVE-2023-38197-qtbase.diff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CVE-2023-51714-qtbase.diff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CVE-2024-25580-qtbase.diff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> # allow building with macOS 10.14 SDK
# see https://trac.macports.org/ticket/64345
patchfiles-append patch-qtbase-macos_10.14_sdk.diff
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/aqua/qt6/files/CVE-2023-32762-qtbase.diff b/aqua/qt6/files/CVE-2023-32762-qtbase.diff
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 00000000000..2d707fdb5c1
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/aqua/qt6/files/CVE-2023-32762-qtbase.diff
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,13 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/network/access/qhsts.cpp.orig
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/network/access/qhsts.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -364,8 +364,8 @@ quoted-pair = "\" CHAR
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ bool QHstsHeaderParser::parse(const QList<QPair<QByteArray, QByteArray>> &headers)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for (const auto &h : headers) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- // We use '==' since header name was already 'trimmed' for us:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (h.first == "Strict-Transport-Security") {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // We compare directly because header name was already 'trimmed' for us:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ header = h.second;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // RFC6797, 8.1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ //
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/aqua/qt6/files/CVE-2023-32763-qtbase.diff b/aqua/qt6/files/CVE-2023-32763-qtbase.diff
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 00000000000..858292eab21
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/aqua/qt6/files/CVE-2023-32763-qtbase.diff
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,55 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/gui/painting/qfixed_p.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/gui/painting/qfixed_p.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -18,6 +18,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include <QtGui/private/qtguiglobal_p.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "QtCore/qdebug.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "QtCore/qpoint.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "QtCore/qnumeric.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "QtCore/qsize.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ QT_BEGIN_NAMESPACE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -136,6 +137,22 @@ constexpr inline QFixed operator+(uint i, QFixed d) { return d+i; }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ constexpr inline QFixed operator-(uint i, QFixed d) { return -(d-i); }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // constexpr inline QFixed operator*(qreal d, QFixed d2) { return d2*d; }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int val;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ bool result = qAddOverflow(v1.value(), v2.value(), &val);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ r->setValue(val);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return result;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++inline bool qMulOverflow(QFixed v1, QFixed v2, QFixed *r)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int val;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ bool result = qMulOverflow(v1.value(), v2.value(), &val);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ r->setValue(val);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return result;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifndef QT_NO_DEBUG_STREAM
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ inline QDebug &operator<<(QDebug &dbg, QFixed f)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { return dbg << f.toReal(); }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/gui/text/qtextlayout.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/gui/text/qtextlayout.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2105,11 +2105,14 @@ found:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ eng->minWidth = qMax(eng->minWidth, lbh.minw);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- eng->maxWidth += line.textWidth;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ eng->maxWidth = QFIXED_MAX;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (line.textWidth > 0 && item < eng->layoutData->items.size())
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- eng->maxWidth += lbh.spaceData.textWidth;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (line.textWidth > 0 && item < eng->layoutData->items.size()) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, &eng->maxWidth))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ eng->maxWidth = QFIXED_MAX;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ line.textWidth += trailingSpace;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (lbh.spaceData.length) {
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/aqua/qt6/files/CVE-2023-33285-qtbase.diff b/aqua/qt6/files/CVE-2023-33285-qtbase.diff
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 00000000000..2ff50916667
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/aqua/qt6/files/CVE-2023-33285-qtbase.diff
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,70 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# https://codereview.qt-project.org/c/qt/qtbase/+/477644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/network/kernel/qdnslookup_unix.cpp.orig 2023-04-24 08:43:14
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/network/kernel/qdnslookup_unix.cpp 2023-06-07 08:58:04
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -227,7 +227,6 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // responseLength in case of error, we still can extract the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // exact error code from the response.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ HEADER *header = (HEADER*)response;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- const int answerCount = ntohs(header->ancount);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ switch (header->rcode) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case NOERROR:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -260,18 +259,31 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- // Skip the query host, type (2 bytes) and class (2 bytes).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char host[PACKETSZ], answer[PACKETSZ];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ unsigned char *p = response + sizeof(HEADER);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (status < 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int status;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ntohs(header->qdcount) == 1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // Skip the query host, type (2 bytes) and class (2 bytes).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (status < 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ reply->error = QDnsLookup::InvalidReplyError;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ reply->errorString = tr("Could not expand domain name");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((p - response) + status + 4 >= responseLength)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ header->qdcount = 0xffff; // invalid reply below
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ p += status + 4;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ntohs(header->qdcount) > 1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ reply->error = QDnsLookup::InvalidReplyError;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- reply->errorString = tr("Could not expand domain name");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ reply->errorString = tr("Invalid reply received");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- p += status + 4;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // Extract results.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const int answerCount = ntohs(header->ancount);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int answerIndex = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ while ((p < response + responseLength) && (answerIndex < answerCount)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -283,6 +296,11 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const QString name = QUrl::fromAce(host);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ p += status;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((p - response) + 10 > responseLength) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // probably just a truncated reply, return what we have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const quint16 type = (p[0] << 8) | p[1];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ p += 2; // RR type
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ p += 2; // RR class
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -290,6 +308,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ p += 4;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const quint16 size = (p[0] << 8) | p[1];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ p += 2;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((p - response) + size > responseLength)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return; // truncated
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (type == QDnsLookup::A) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (size != 4) {
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/aqua/qt6/files/CVE-2023-37369-qtbase.diff b/aqua/qt6/files/CVE-2023-37369-qtbase.diff
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 00000000000..743785f0cf9
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/aqua/qt6/files/CVE-2023-37369-qtbase.diff
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,189 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/src/corelib/serialization/qxmlstream.cpp b/src/corelib/serialization/qxmlstream.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 72c33584a98..598b9f0428f 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/corelib/serialization/qxmlstream.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/corelib/serialization/qxmlstream.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1245,7 +1245,9 @@ inline qsizetype QXmlStreamReaderPrivate::fastScanContentCharList()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return n;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-inline qsizetype QXmlStreamReaderPrivate::fastScanName(qint16 *prefix)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++// Fast scan an XML attribute name (e.g. "xml:lang").
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++inline QXmlStreamReaderPrivate::FastScanNameResult
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++QXmlStreamReaderPrivate::fastScanName(Value *val)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ qsizetype n = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ uint c;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1253,7 +1255,8 @@ inline qsizetype QXmlStreamReaderPrivate::fastScanName(Value *val)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (n >= 4096) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // This is too long to be a sensible name, and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // can exhaust memory, or the range of decltype(*prefix)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ raiseNamePrefixTooLongError();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return {};
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ switch (c) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case '\n':
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1282,23 +1285,23 @@ inline qsizetype QXmlStreamReaderPrivate::fastScanName(qint16 *prefix)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case '+':
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case '*':
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ putChar(c);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (prefix && *prefix == n+1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- *prefix = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (val && val->prefix == n + 1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ val->prefix = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ putChar(':');
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --n;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return n;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return FastScanNameResult(n);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case ':':
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (prefix) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (*prefix == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- *prefix = qint16(n + 2);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (val) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (val->prefix == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ val->prefix = n + 2;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } else { // only one colon allowed according to the namespace spec.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ putChar(c);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return n;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return FastScanNameResult(n);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ putChar(c);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return n;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return FastScanNameResult(n);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Q_FALLTHROUGH();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1307,12 +1310,12 @@ inline int QXmlStreamReaderPrivate::fastScanName(int *prefix)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (prefix)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- *prefix = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (val)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ val->prefix = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ qsizetype pos = textBuffer.size() - n;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ putString(textBuffer, pos);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ textBuffer.resize(pos);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return FastScanNameResult(0);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ enum NameChar { NameBeginning, NameNotBeginning, NotName };
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1793,6 +1796,14 @@ void QXmlStreamReaderPrivate::raiseWellFormedError(const QString &message)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ raiseError(QXmlStreamReader::NotWellFormedError, message);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void QXmlStreamReaderPrivate::raiseNamePrefixTooLongError()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // TODO: add a ImplementationLimitsExceededError and use it instead
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ raiseError(QXmlStreamReader::NotWellFormedError,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ QXmlStream::tr("Length of XML attribute name exceeds implemnetation limits (4KiB "
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "characters)."));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void QXmlStreamReaderPrivate::parseError()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/src/corelib/serialization/qxmlstream.g b/src/corelib/serialization/qxmlstream.g
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 81ca36688cd..1b5a682b36a 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/corelib/serialization/qxmlstream.g
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/corelib/serialization/qxmlstream.g
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1419,7 +1419,12 @@ space_opt ::= space;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ qname ::= LETTER;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case $rule_number: {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- sym(1).len += fastScanName(&sym(1).prefix);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Value &val = sym(1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (auto res = fastScanName(&val))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ val.len += *res;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return false;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (atEnd) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ resume($rule_number);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return false;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1430,7 +1435,11 @@ qname ::= LETTER;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ name ::= LETTER;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case $rule_number:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- sym(1).len += fastScanName();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (auto res = fastScanName())
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sym(1).len += *res;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return false;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (atEnd) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ resume($rule_number);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return false;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 8f64130d2f9..a277753f188 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/corelib/serialization/qxmlstream_p.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/corelib/serialization/qxmlstream_p.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -38,7 +38,7 @@ public:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ constexpr XmlStringRef() = default;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ constexpr inline XmlStringRef(const QString *string, qsizetype pos, qsizetype length)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- : m_string(string), m_pos(pos), m_size(length)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ : m_string(string), m_pos(pos), m_size((Q_ASSERT(length >= 0), length))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ XmlStringRef(const QString *string)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -471,7 +471,16 @@ public:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ qsizetype fastScanLiteralContent();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ qsizetype fastScanSpace();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ qsizetype fastScanContentCharList();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- qsizetype fastScanName(qint16 *prefix = nullptr);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct FastScanNameResult {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ FastScanNameResult() : ok(false) {}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ explicit FastScanNameResult(qsizetype len) : addToLen(len), ok(true) { }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ operator bool() { return ok; }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ qsizetype operator*() { Q_ASSERT(ok); return addToLen; }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ qsizetype addToLen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ bool ok;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ };
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ FastScanNameResult fastScanName(Value *val = nullptr);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ inline qsizetype fastScanNMTOKEN();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -480,6 +489,7 @@ public:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void raiseError(QXmlStreamReader::Error error, const QString& message = QString());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void raiseWellFormedError(const QString &message);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ void raiseNamePrefixTooLongError();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ QXmlStreamEntityResolver *entityResolver;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/src/corelib/serialization/qxmlstreamparser_p.h b/src/corelib/serialization/qxmlstreamparser_p.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 17558aae641..d67d71ca01d 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/corelib/serialization/qxmlstreamparser_p.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/corelib/serialization/qxmlstreamparser_p.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -947,7 +947,12 @@ bool QXmlStreamReaderPrivate::parse()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case 262: {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- sym(1).len += fastScanName(&sym(1).prefix);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Value &val = sym(1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (auto res = fastScanName(&val))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ val.len += *res;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return false;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (atEnd) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ resume(262);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return false;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -955,7 +960,11 @@ bool QXmlStreamReaderPrivate::parse()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case 263:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- sym(1).len += fastScanName();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (auto res = fastScanName())
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sym(1).len += *res;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return false;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (atEnd) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ resume(263);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return false;
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/aqua/qt6/files/CVE-2023-38197-qtbase.diff b/aqua/qt6/files/CVE-2023-38197-qtbase.diff
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 00000000000..4474d87e4c8
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/aqua/qt6/files/CVE-2023-38197-qtbase.diff
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,217 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/src/corelib/serialization/qxmlstream.cpp b/src/corelib/serialization/qxmlstream.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 598b9f0..885354f 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/corelib/serialization/qxmlstream.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/corelib/serialization/qxmlstream.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -126,7 +126,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ addData() or by waiting for it to arrive on the device().
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ \value UnexpectedElementError The parser encountered an element
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- that was different to those it expected.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ or token that was different to those it expected.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -263,13 +263,34 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ QXmlStreamReader is a well-formed XML 1.0 parser that does \e not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ include external parsed entities. As long as no error occurs, the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- application code can thus be assured that the data provided by the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- stream reader satisfies the W3C's criteria for well-formed XML. For
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- example, you can be certain that all tags are indeed nested and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- closed properly, that references to internal entities have been
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- replaced with the correct replacement text, and that attributes have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- been normalized or added according to the internal subset of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- DTD.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ application code can thus be assured, that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ \list
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ \li the data provided by the stream reader satisfies the W3C's
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ criteria for well-formed XML,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ \li tokens are provided in a valid order.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ \endlist
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Unless QXmlStreamReader raises an error, it guarantees the following:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ \list
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ \li All tags are nested and closed properly.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ \li References to internal entities have been replaced with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ correct replacement text.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ \li Attributes have been normalized or added according to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ internal subset of the \l DTD.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ \li Tokens of type \l StartDocument happen before all others,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ aside from comments and processing instructions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ \li At most one DOCTYPE element (a token of type \l DTD) is present.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ \li If present, the DOCTYPE appears before all other elements,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ aside from StartDocument, comments and processing instructions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ \endlist
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ In particular, once any token of type \l StartElement, \l EndElement,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ \l Characters, \l EntityReference or \l EndDocument is seen, no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ tokens of type StartDocument or DTD will be seen. If one is present in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ the input stream, out of order, an error is raised.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ \note The token types \l Comment and \l ProcessingInstruction may appear
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ anywhere in the stream.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ If an error occurs while parsing, atEnd() and hasError() return
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ true, and error() returns the error that occurred. The functions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -572,6 +593,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ d->token = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return readNext();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ d->checkToken();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return d->type;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -691,6 +713,13 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 0, 8, 16, 30, 42, 55, 66, 77, 85, 89, 105, 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ };
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static const char QXmlStreamReader_XmlContextString[] =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "Prolog\0"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "Body\0";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static const short QXmlStreamReader_XmlContextString_indices[] = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ 0, 7
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++};
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ \property QXmlStreamReader::namespaceProcessing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -727,6 +756,16 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ QXmlStreamReader_tokenTypeString_indices[d->type]);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ \internal
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ \return \param ctxt (Prolog/Body) as a string.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++QString contextString(QXmlStreamReaderPrivate::XmlContext ctxt)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return QLatin1String(QXmlStreamReader_XmlContextString +
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ QXmlStreamReader_XmlContextString_indices[static_cast<int>(ctxt)]);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif // QT_NO_XMLSTREAMREADER
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ QXmlStreamPrivateTagStack::QXmlStreamPrivateTagStack()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -813,6 +852,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ type = QXmlStreamReader::NoToken;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ error = QXmlStreamReader::NoError;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ currentContext = XmlContext::Prolog;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ foundDTD = false;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -3730,6 +3771,91 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static constexpr bool isTokenAllowedInContext(QXmlStreamReader::TokenType type,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ QXmlStreamReaderPrivate::XmlContext loc)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ switch (type) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case QXmlStreamReader::StartDocument:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case QXmlStreamReader::DTD:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return loc == QXmlStreamReaderPrivate::XmlContext::Prolog;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case QXmlStreamReader::StartElement:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case QXmlStreamReader::EndElement:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case QXmlStreamReader::Characters:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case QXmlStreamReader::EntityReference:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case QXmlStreamReader::EndDocument:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return loc == QXmlStreamReaderPrivate::XmlContext::Body;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case QXmlStreamReader::Comment:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case QXmlStreamReader::ProcessingInstruction:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return true;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case QXmlStreamReader::NoToken:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case QXmlStreamReader::Invalid:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return false;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return false;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ \internal
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ \brief QXmlStreamReader::isValidToken
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ \return \c true if \param type is a valid token type.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ \return \c false if \param type is an unexpected token,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ which indicates a non-well-formed or invalid XML stream.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++bool QXmlStreamReaderPrivate::isValidToken(QXmlStreamReader::TokenType type)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // Don't change currentContext, if Invalid or NoToken occur in the prolog
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (type == QXmlStreamReader::Invalid || type == QXmlStreamReader::NoToken)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return false;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // If a token type gets rejected in the body, there is no recovery
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const bool result = isTokenAllowedInContext(type, currentContext);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (result || currentContext == XmlContext::Body)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return result;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // First non-Prolog token observed => switch context to body and check again.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ currentContext = XmlContext::Body;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return isTokenAllowedInContext(type, currentContext);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ \internal
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Checks token type and raises an error, if it is invalid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ in the current context (prolog/body).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void QXmlStreamReaderPrivate::checkToken()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Q_Q(QXmlStreamReader);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // The token type must be consumed, to keep track if the body has been reached.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const XmlContext context = currentContext;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const bool ok = isValidToken(type);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // Do nothing if an error has been raised already (going along with an unexpected token)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (error != QXmlStreamReader::Error::NoError)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!ok) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ raiseError(QXmlStreamReader::UnexpectedElementError,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ QLatin1String("Unexpected token type %1 in %2.")
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ .arg(q->tokenString(), contextString(context)));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (type != QXmlStreamReader::DTD)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // Raise error on multiple DTD tokens
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (foundDTD) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ raiseError(QXmlStreamReader::UnexpectedElementError,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ QLatin1String("Found second DTD token in %1.").arg(contextString(context)));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ foundDTD = true;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ \fn bool QXmlStreamAttributes::hasAttribute(const QString &qualifiedName) const
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ \since 4.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index a277753..c33f1cd 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/corelib/serialization/qxmlstream_p.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/corelib/serialization/qxmlstream_p.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -270,6 +270,17 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ QStringDecoder decoder;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ bool atEnd;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ enum class XmlContext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Prolog,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Body,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ };
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ XmlContext currentContext = XmlContext::Prolog;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ bool foundDTD = false;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ bool isValidToken(QXmlStreamReader::TokenType type);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ void checkToken();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ \sa setType()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ */
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/aqua/qt6/files/CVE-2023-51714-qtbase.diff b/aqua/qt6/files/CVE-2023-51714-qtbase.diff
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 00000000000..e8ae0dd1215
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/aqua/qt6/files/CVE-2023-51714-qtbase.diff
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,86 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From ea63c28efc1d2ecb467b83a34923d12462efa96f Mon Sep 17 00:00:00 2001
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: Marc Mutz <marc.mutz@qt.io>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Date: Tue, 12 Dec 2023 20:51:56 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: [PATCH] HPack: fix a Yoda Condition
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Putting the variable on the LHS of a relational operation makes the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+expression easier to read. In this case, we find that the whole
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+expression is nonsensical as an overflow protection, because if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+name.size() + value.size() overflows, the result will exactly _not_
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+be > max() - 32, because UB will have happened.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+To be fixed in a follow-up commit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+As a drive-by, add parentheses around the RHS.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Change-Id: I35ce598884c37c51b74756b3bd2734b9aad63c09
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+(cherry picked from commit 658607a34ead214fbacbc2cca44915655c318ea9)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+(cherry picked from commit 4f7efd41740107f90960116700e3134f5e433867)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+(cherry picked from commit 13c16b756900fe524f6d9534e8a07aa003c05e0c)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+(cherry picked from commit 1d4788a39668fb2dc5912a8d9c4272dc40e99f92)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+(cherry picked from commit 87de75b5cc946d196decaa6aef4792a6cac0b6db)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+---
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/src/network/access/http2/hpacktable.cpp b/src/network/access/http2/hpacktable.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 834214f..ab166a6 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/network/access/http2/hpacktable.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/network/access/http2/hpacktable.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -27,7 +27,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // 32 octets of overhead."
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const unsigned sum = unsigned(name.size() + value.size());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (std::numeric_limits<unsigned>::max() - 32 < sum)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (sum > (std::numeric_limits<unsigned>::max() - 32))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return HeaderSize();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return HeaderSize(true, quint32(sum + 32));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From 9ef4ca5ecfed771dab890856130e93ef5ceabef5 Mon Sep 17 00:00:00 2001
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: Marc Mutz <marc.mutz@qt.io>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Date: Tue, 12 Dec 2023 22:08:07 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: [PATCH] HPack: fix incorrect integer overflow check
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+This code never worked:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+For the comparison with max() - 32 to trigger, on 32-bit platforms (or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Qt 5) signed interger overflow would have had to happen in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+addition of the two sizes. The compiler can therefore remove the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+overflow check as dead code.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+On Qt 6 and 64-bit platforms, the signed integer addition would be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+very unlikely to overflow, but the following truncation to uint32
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+would yield the correct result only in a narrow 32-value window just
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+below UINT_MAX, if even that.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Fix by using the proper tool, qAddOverflow.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Pick-to: 5.15
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Change-Id: I7599f2e75ff7f488077b0c60b81022591005661c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+(cherry picked from commit ee5da1f2eaf8932aeca02ffea6e4c618585e29e3)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+(cherry picked from commit debeb8878da2dc706ead04b6072ecbe7e5313860)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Reviewed-by: Marc Mutz <marc.mutz@qt.io>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+(cherry picked from commit 811b9eef6d08d929af8708adbf2a5effb0eb62d7)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+(cherry picked from commit f931facd077ce945f1e42eaa3bead208822d3e00)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+---
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/src/network/access/http2/hpacktable.cpp b/src/network/access/http2/hpacktable.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 7e4950d..897f13a 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/network/access/http2/hpacktable.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/network/access/http2/hpacktable.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -26,7 +26,9 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // for counting the number of references to the name and value would have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // 32 octets of overhead."
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- const unsigned sum = unsigned(name.size() + value.size());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t sum;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (qAddOverflow(size_t(name.size()), size_t(value.size()), &sum))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return HeaderSize();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (sum > (std::numeric_limits<unsigned>::max() - 32))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return HeaderSize();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return HeaderSize(true, quint32(sum + 32));
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/aqua/qt6/files/CVE-2024-25580-qtbase.diff b/aqua/qt6/files/CVE-2024-25580-qtbase.diff
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 00000000000..8f24c8c1fcd
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/aqua/qt6/files/CVE-2024-25580-qtbase.diff
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,325 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/src/gui/util/qktxhandler.cpp b/src/gui/util/qktxhandler.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 32ea08144b..f9b4c807c9 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/gui/util/qktxhandler.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/gui/util/qktxhandler.cpp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -41,7 +41,7 @@ struct KTXHeader {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ quint32 bytesOfKeyValueData;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ };
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-static const quint32 headerSize = sizeof(KTXHeader);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static constexpr quint32 qktxh_headerSize = sizeof(KTXHeader);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // Currently unused, declared for future reference
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct KTXKeyValuePairItem {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -71,20 +71,32 @@ struct KTXMipmapLevel {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ };
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-// Returns the nearest multiple of 'rounding' greater than or equal to 'value'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-constexpr quint32 withPadding(quint32 value, quint32 rounding)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++// Returns the nearest multiple of 4 greater than or equal to 'value'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static const std::optional<quint32> nearestMultipleOf4(quint32 value)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- Q_ASSERT(rounding > 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return value + (rounding - 1) - ((value + (rounding - 1)) % rounding);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ constexpr quint32 rounding = 4;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ quint32 result = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (qAddOverflow(value, rounding - 1, &result))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return std::nullopt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ result &= ~(rounding - 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return result;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++// Returns a view with prechecked bounds
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static QByteArrayView safeView(QByteArrayView view, quint32 start, quint32 length)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ quint32 end = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (qAddOverflow(start, length, &end) || end > quint32(view.length()))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return {};
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return view.sliced(start, length);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ QKtxHandler::~QKtxHandler() = default;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ bool QKtxHandler::canRead(const QByteArray &suffix, const QByteArray &block)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Q_UNUSED(suffix);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return (qstrncmp(block.constData(), ktxIdentifier, KTX_IDENTIFIER_LENGTH) == 0);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return block.startsWith(ktxIdentifier);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ QTextureFileData QKtxHandler::read()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -93,55 +95,122 @@ QTextureFileData QKtxHandler::read()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return QTextureFileData();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const QByteArray buf = device()->readAll();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- const quint32 dataSize = quint32(buf.size());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (dataSize < headerSize || !canRead(QByteArray(), buf)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- qCDebug(lcQtGuiTextureIO, "Invalid KTX file %s", logName().constData());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (buf.size() > std::numeric_limits<quint32>::max()) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ qWarning(lcQtGuiTextureIO, "Too big KTX file %s", logName().constData());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return QTextureFileData();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!canRead(QByteArray(), buf)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ qWarning(lcQtGuiTextureIO, "Invalid KTX file %s", logName().constData());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return QTextureFileData();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- const KTXHeader *header = reinterpret_cast<const KTXHeader *>(buf.data());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (!checkHeader(*header)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- qCDebug(lcQtGuiTextureIO, "Unsupported KTX file format in %s", logName().constData());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (buf.size() < qsizetype(qktxh_headerSize)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ qWarning(lcQtGuiTextureIO, "Invalid KTX header size in %s", logName().constData());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return QTextureFileData();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ KTXHeader header;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memcpy(&header, buf.data(), qktxh_headerSize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!checkHeader(header)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ qWarning(lcQtGuiTextureIO, "Unsupported KTX file format in %s", logName().constData());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return QTextureFileData();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ QTextureFileData texData;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ texData.setData(buf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- texData.setSize(QSize(decode(header->pixelWidth), decode(header->pixelHeight)));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- texData.setGLFormat(decode(header->glFormat));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- texData.setGLInternalFormat(decode(header->glInternalFormat));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- texData.setGLBaseInternalFormat(decode(header->glBaseInternalFormat));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ texData.setSize(QSize(decode(header.pixelWidth), decode(header.pixelHeight)));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ texData.setGLFormat(decode(header.glFormat));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ texData.setGLInternalFormat(decode(header.glInternalFormat));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ texData.setGLBaseInternalFormat(decode(header.glBaseInternalFormat));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- texData.setNumLevels(decode(header->numberOfMipmapLevels));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- texData.setNumFaces(decode(header->numberOfFaces));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ texData.setNumLevels(decode(header.numberOfMipmapLevels));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ texData.setNumFaces(decode(header.numberOfFaces));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- const quint32 bytesOfKeyValueData = decode(header->bytesOfKeyValueData);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (headerSize + bytesOfKeyValueData < quint64(buf.size())) // oob check
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- texData.setKeyValueMetadata(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- decodeKeyValues(QByteArrayView(buf.data() + headerSize, bytesOfKeyValueData)));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- quint32 offset = headerSize + bytesOfKeyValueData;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const quint32 bytesOfKeyValueData = decode(header.bytesOfKeyValueData);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ quint32 headerKeyValueSize;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (qAddOverflow(qktxh_headerSize, bytesOfKeyValueData, &headerKeyValueSize)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ qWarning(lcQtGuiTextureIO, "Overflow in size of key value data in header of KTX file %s",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ logName().constData());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return QTextureFileData();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (headerKeyValueSize >= quint32(buf.size())) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ qWarning(lcQtGuiTextureIO, "OOB request in KTX file %s", logName().constData());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return QTextureFileData();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // File contains key/values
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (bytesOfKeyValueData > 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ auto keyValueDataView = safeView(buf, qktxh_headerSize, bytesOfKeyValueData);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (keyValueDataView.isEmpty()) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ qWarning(lcQtGuiTextureIO, "Invalid view in KTX file %s", logName().constData());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return QTextureFileData();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ auto keyValues = decodeKeyValues(keyValueDataView);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!keyValues) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ qWarning(lcQtGuiTextureIO, "Could not parse key values in KTX file %s",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ logName().constData());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return QTextureFileData();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ texData.setKeyValueMetadata(*keyValues);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // Technically, any number of levels is allowed but if the value is bigger than
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // what is possible in KTX V2 (and what makes sense) we return an error.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // maxLevels = log2(max(width, height, depth))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const int maxLevels = (sizeof(quint32) * 8)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - qCountLeadingZeroBits(std::max(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { header.pixelWidth, header.pixelHeight, header.pixelDepth }));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (texData.numLevels() > maxLevels) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ qWarning(lcQtGuiTextureIO, "Too many levels in KTX file %s", logName().constData());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return QTextureFileData();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- constexpr int MAX_ITERATIONS = 32; // cap iterations in case of corrupt data
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (texData.numFaces() != 1 && texData.numFaces() != 6) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ qWarning(lcQtGuiTextureIO, "Invalid number of faces in KTX file %s", logName().constData());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return QTextureFileData();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- for (int level = 0; level < qMin(texData.numLevels(), MAX_ITERATIONS); level++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (offset + sizeof(quint32) > dataSize) // Corrupt file; avoid oob read
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ quint32 offset = headerKeyValueSize;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (int level = 0; level < texData.numLevels(); level++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const auto imageSizeView = safeView(buf, offset, sizeof(quint32));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (imageSizeView.isEmpty()) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ qWarning(lcQtGuiTextureIO, "OOB request in KTX file %s", logName().constData());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return QTextureFileData();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- const quint32 imageSize = decode(qFromUnaligned<quint32>(buf.data() + offset));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- offset += sizeof(quint32);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const quint32 imageSize = decode(qFromUnaligned<quint32>(imageSizeView.data()));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ offset += sizeof(quint32); // overflow checked indirectly above
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- for (int face = 0; face < qMin(texData.numFaces(), MAX_ITERATIONS); face++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (int face = 0; face < texData.numFaces(); face++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ texData.setDataOffset(offset, level, face);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ texData.setDataLength(imageSize, level, face);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // Add image data and padding to offset
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- offset += withPadding(imageSize, 4);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const auto padded = nearestMultipleOf4(imageSize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!padded) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ qWarning(lcQtGuiTextureIO, "Overflow in KTX file %s", logName().constData());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return QTextureFileData();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ quint32 offsetNext;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (qAddOverflow(offset, *padded, &offsetNext)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ qWarning(lcQtGuiTextureIO, "OOB request in KTX file %s", logName().constData());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return QTextureFileData();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ offset = offsetNext;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!texData.isValid()) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- qCDebug(lcQtGuiTextureIO, "Invalid values in header of KTX file %s", logName().constData());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ qWarning(lcQtGuiTextureIO, "Invalid values in header of KTX file %s",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ logName().constData());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return QTextureFileData();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -187,33 +220,83 @@ bool QKtxHandler::checkHeader(const KTXHeader &header)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return is2D && (isCubeMap || isCompressedImage);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-QMap<QByteArray, QByteArray> QKtxHandler::decodeKeyValues(QByteArrayView view) const
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++std::optional<QMap<QByteArray, QByteArray>> QKtxHandler::decodeKeyValues(QByteArrayView view) const
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ QMap<QByteArray, QByteArray> output;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ quint32 offset = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- while (offset < view.size() + sizeof(quint32)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ while (offset < quint32(view.size())) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const auto keyAndValueByteSizeView = safeView(view, offset, sizeof(quint32));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (keyAndValueByteSizeView.isEmpty()) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ qWarning(lcQtGuiTextureIO, "Invalid view in KTX key-value");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return std::nullopt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const quint32 keyAndValueByteSize =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- decode(qFromUnaligned<quint32>(view.constData() + offset));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ decode(qFromUnaligned<quint32>(keyAndValueByteSizeView.data()));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- offset += sizeof(quint32);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (offset + keyAndValueByteSize > quint64(view.size()))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- break; // oob read
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ quint32 offsetKeyAndValueStart;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (qAddOverflow(offset, quint32(sizeof(quint32)), &offsetKeyAndValueStart)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ qWarning(lcQtGuiTextureIO, "Overflow in KTX key-value");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return std::nullopt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ quint32 offsetKeyAndValueEnd;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (qAddOverflow(offsetKeyAndValueStart, keyAndValueByteSize, &offsetKeyAndValueEnd)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ qWarning(lcQtGuiTextureIO, "Overflow in KTX key-value");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return std::nullopt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const auto keyValueView = safeView(view, offsetKeyAndValueStart, keyAndValueByteSize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (keyValueView.isEmpty()) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ qWarning(lcQtGuiTextureIO, "Invalid view in KTX key-value");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return std::nullopt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // 'key' is a UTF-8 string ending with a null terminator, 'value' is the rest.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // To separate the key and value we convert the complete data to utf-8 and find the first
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // null terminator from the left, here we split the data into two.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- const auto str = QString::fromUtf8(view.constData() + offset, keyAndValueByteSize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- const int idx = str.indexOf('\0'_L1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (idx == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- continue;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- const QByteArray key = str.left(idx).toUtf8();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- const size_t keySize = key.size() + 1; // Actual data size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- const QByteArray value = QByteArray::fromRawData(view.constData() + offset + keySize,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- keyAndValueByteSize - keySize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- offset = withPadding(offset + keyAndValueByteSize, 4);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- output.insert(key, value);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const int idx = keyValueView.indexOf('\0');
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (idx == -1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ qWarning(lcQtGuiTextureIO, "Invalid key in KTX key-value");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return std::nullopt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const QByteArrayView keyView = safeView(view, offsetKeyAndValueStart, idx);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (keyView.isEmpty()) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ qWarning(lcQtGuiTextureIO, "Overflow in KTX key-value");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return std::nullopt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const quint32 keySize = idx + 1; // Actual data size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ quint32 offsetValueStart;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (qAddOverflow(offsetKeyAndValueStart, keySize, &offsetValueStart)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ qWarning(lcQtGuiTextureIO, "Overflow in KTX key-value");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return std::nullopt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ quint32 valueSize;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (qSubOverflow(keyAndValueByteSize, keySize, &valueSize)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ qWarning(lcQtGuiTextureIO, "Underflow in KTX key-value");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return std::nullopt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const QByteArrayView valueView = safeView(view, offsetValueStart, valueSize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (valueView.isEmpty()) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ qWarning(lcQtGuiTextureIO, "Invalid view in KTX key-value");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return std::nullopt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ output.insert(keyView.toByteArray(), valueView.toByteArray());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const auto offsetNext = nearestMultipleOf4(offsetKeyAndValueEnd);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!offsetNext) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ qWarning(lcQtGuiTextureIO, "Overflow in KTX key-value");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return std::nullopt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ offset = *offsetNext;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return output;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/src/gui/util/qktxhandler_p.h b/src/gui/util/qktxhandler_p.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 77ce1ca556..9cf6f65586 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/gui/util/qktxhandler_p.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/gui/util/qktxhandler_p.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -17,6 +17,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "qtexturefilehandler_p.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include <optional>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ QT_BEGIN_NAMESPACE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct KTXHeader;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -33,7 +35,7 @@ public:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ private:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ bool checkHeader(const KTXHeader &header);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- QMap<QByteArray, QByteArray> decodeKeyValues(QByteArrayView view) const;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ std::optional<QMap<QByteArray, QByteArray>> decodeKeyValues(QByteArrayView view) const;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ quint32 decode(quint32 val) const;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ bool inverseEndian = false;
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/aqua/qt6/files/patch-qtbase-macos_10.14_sdk.diff b/aqua/qt6/files/patch-qtbase-macos_10.14_sdk.diff
</span><span style='display:block; white-space:pre;color:#808080;'>index d7dff97cf3c..37605c24286 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/aqua/qt6/files/patch-qtbase-macos_10.14_sdk.diff
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/aqua/qt6/files/patch-qtbase-macos_10.14_sdk.diff
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -37,7 +37,8 @@ Upstream-Status: Inappropriate [violates DRY]
</span> driverInfoStruct.deviceType = QRhiDriverInfo::ExternalDevice;
break;
default:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -403,7 +403,9 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -403,8 +403,10 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #if defined(Q_OS_MACOS)
</span> caps.maxTextureSize = 16384;
caps.baseVertexAndInstance = true;
+#if MAC_OS_X_VERSION_MAX_ALLOWED >= 101500
</pre><pre style='margin:0'>
</pre>