From 7306f1823a47c1e27604ed1e8af82550ed42fa0d Mon Sep 17 00:00:00 2001
From: hua_yadong <huayadong@kylinos.cn>
Date: Mon, 27 Nov 2023 15:08:31 +0800
Subject: [PATCH] qt-CVE-2023-43114

(cherry picked from commit 4ce93e1703f1e7a580136c8b7a3426e9ef579787)
---
 qt-CVE-2023-43114.patch | 125 ++++++++++++++++++++++++++++++++++++++++
 qt.spec                 |   9 ++-
 2 files changed, 133 insertions(+), 1 deletion(-)
 create mode 100644 qt-CVE-2023-43114.patch

diff --git a/qt-CVE-2023-43114.patch b/qt-CVE-2023-43114.patch
new file mode 100644
index 0000000..3d545a9
--- /dev/null
+++ b/qt-CVE-2023-43114.patch
@@ -0,0 +1,125 @@
+From 7edcbe0e7db0c292ceac044aacc598bb250d32f2 Mon Sep 17 00:00:00 2001
+From: hua_yadong <huayadong@kylinos.cn>
+Date: Mon, 27 Nov 2023 14:25:31 +0800
+Subject: [PATCH] qt-CVE-2023-43114
+
+---
+ src/gui/text/qfontdatabase_win.cpp | 65 +++++++++++++++++++++++-------
+ 1 file changed, 50 insertions(+), 15 deletions(-)
+
+diff --git a/src/gui/text/qfontdatabase_win.cpp b/src/gui/text/qfontdatabase_win.cpp
+index 10670b1b..7d40b605 100644
+--- a/src/gui/text/qfontdatabase_win.cpp
++++ b/src/gui/text/qfontdatabase_win.cpp
+@@ -1140,33 +1140,67 @@ typedef BOOL (WINAPI *PtrRemoveFontMemResourceEx)(HANDLE);
+ static QList<quint32> getTrueTypeFontOffsets(const uchar *fontData)
+ {
+     QList<quint32> offsets;
+-    const quint32 headerTag = *reinterpret_cast<const quint32 *>(fontData);
++    if (fileEndSentinel - fontData < 12) {
++        qCWarning(lcQpaFonts) << "Corrupted font data detected";
++        return offsets;
++    }
++
++    const quint32 headerTag = qFromUnaligned<quint32>(fontData);
+     if (headerTag != MAKE_TAG('t', 't', 'c', 'f')) {
+         if (headerTag != MAKE_TAG(0, 1, 0, 0)
+             && headerTag != MAKE_TAG('O', 'T', 'T', 'O')
+             && headerTag != MAKE_TAG('t', 'r', 'u', 'e')
+-            && headerTag != MAKE_TAG('t', 'y', 'p', '1'))
++            && headerTag != MAKE_TAG('t', 'y', 'p', '1')) {
+             return offsets;
++        }
+         offsets << 0;
+         return offsets;
+     }
++
++    const quint32 maximumNumFonts = 0xffff;
+     const quint32 numFonts = qFromBigEndian<quint32>(fontData + 8);
+-    for (uint i = 0; i < numFonts; ++i) {
+-        offsets << qFromBigEndian<quint32>(fontData + 12 + i * 4);
++    if (numFonts > maximumNumFonts) {
++        qCWarning(lcQpaFonts) << "Font collection of" << numFonts << "fonts is too large. Aborting.";
++        return offsets;
++    }
++
++    if (quintptr(fileEndSentinel - fontData) > 12 + (numFonts - 1) * 4) {
++        for (quint32 i = 0; i < numFonts; ++i)
++            offsets << qFromBigEndian<quint32>(fontData + 12 + i * 4);
++    } else {
++        qCWarning(lcQpaFonts) << "Corrupted font data detected";
+     }
++
+     return offsets;
+ }
+ 
+-static void getFontTable(const uchar *fileBegin, const uchar *data, quint32 tag, const uchar **table, quint32 *length)
++static void getFontTable(const uchar *fileBegin, const uchar *fileEndSentinel, const uchar *data, quint32 tag, const uchar **table, quint32 *length)
+ {
+-    const quint16 numTables = qFromBigEndian<quint16>(data + 4);
+-    for (uint i = 0; i < numTables; ++i) {
+-        const quint32 offset = 12 + 16 * i;
+-        if (*reinterpret_cast<const quint32 *>(data + offset) == tag) {
+-            *table = fileBegin + qFromBigEndian<quint32>(data + offset + 8);
+-            *length = qFromBigEndian<quint32>(data + offset + 12);
+-            return;
++    if (fileEndSentinel - data >= 6) {
++        const quint16 numTables = qFromBigEndian<quint16>(data + 4);
++        if (fileEndSentinel - data >= 28 + 16 * (numTables - 1)) {
++            for (quint32 i = 0; i < numTables; ++i) {
++                const quint32 offset = 12 + 16 * i;
++                if (qFromUnaligned<quint32>(data + offset) == tag) {
++                    const quint32 tableOffset = qFromBigEndian<quint32>(data + offset + 8);
++                    if (quintptr(fileEndSentinel - fileBegin) <= tableOffset) {
++                        qCWarning(lcQpaFonts) << "Corrupted font data detected";
++                        break;
++                    }
++                    *table = fileBegin + tableOffset;
++                    *length = qFromBigEndian<quint32>(data + offset + 12);
++                    if (quintptr(fileEndSentinel - *table) < *length) {
++                        qCWarning(lcQpaFonts) << "Corrupted font data detected";
++                        break;
++                    }
++                    return;
++                }
++            }
++        } else {
++            qCWarning(lcQpaFonts) << "Corrupted font data detected";
+         }
++    } else {
++        qCWarning(lcQpaFonts) << "Corrupted font data detected";
+     }
+     *table = 0;
+     *length = 0;
+@@ -1176,8 +1210,9 @@ static void getFontTable(const uchar *fileBegin, const uchar *data, quint32 tag,
+ static void getFamiliesAndSignatures(const QByteArray &fontData, QFontDatabasePrivate::ApplicationFont *appFont)
+ {
+     const uchar *data = reinterpret_cast<const uchar *>(fontData.constData());
++    const uchar *dataEndSentinel = data + fontData.size();
+ 
+-    QList<quint32> offsets = getTrueTypeFontOffsets(data);
++    QList<quint32> offsets = getTrueTypeFontOffsets(data, dataEndSentinel);
+     if (offsets.isEmpty())
+         return;
+ 
+@@ -1185,7 +1220,7 @@ static void getFamiliesAndSignatures(const QByteArray &fontData, QFontDatabasePr
+         const uchar *font = data + offsets.at(i);
+         const uchar *table;
+         quint32 length;
+-        getFontTable(data, font, MAKE_TAG('n', 'a', 'm', 'e'), &table, &length);
++        getFontTable(data, dataEndSentinel, font, MAKE_TAG('n', 'a', 'm', 'e'), &table, &length);
+         if (!table)
+             continue;
+         QString name = getEnglishName(table, length);
+@@ -1194,7 +1229,7 @@ static void getFamiliesAndSignatures(const QByteArray &fontData, QFontDatabasePr
+ 
+         appFont->families << name;
+         FONTSIGNATURE signature;
+-        getFontTable(data, font, MAKE_TAG('O', 'S', '/', '2'), &table, &length);
++        getFontTable(data, dataEndSentinel, font, MAKE_TAG('O', 'S', '/', '2'), &table, &length);
+         if (table && length >= 86) {
+             // See also qfontdatabase_mac.cpp, offsets taken from OS/2 table in the TrueType spec
+             signature.fsUsb[0] = qFromBigEndian<quint32>(table + 42);
+-- 
+2.41.0
+
diff --git a/qt.spec b/qt.spec
index 29a2ce6..5177269 100644
--- a/qt.spec
+++ b/qt.spec
@@ -13,7 +13,7 @@
 Name:           qt
 Epoch:          1
 Version:        4.8.7
-Release:        57
+Release:        58
 Summary:        A software toolkit for developing applications
 License:        (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
 URL:            http://qt-project.org/
@@ -87,6 +87,7 @@ Patch6007:      CVE-2023-32573.patch
 Patch6008:      qt-CVE-2023-34410.patch
 Patch6009:      qt-CVE-2023-38197.patch
 Patch6010:      qt-CVE-2023-37369.patch 
+Patch6011:      qt-CVE-2023-43114.patch 
 
 BuildRequires:  cups-devel desktop-file-utils gcc-c++ libjpeg-devel findutils libmng-devel libtiff-devel pkgconfig pkgconfig(alsa)
 BuildRequires:  pkgconfig(dbus-1) pkgconfig(fontconfig) pkgconfig(glib-2.0) pkgconfig(icu-i18n) openssl-devel pkgconfig(libpng)
@@ -467,6 +468,12 @@ fi
 %{_qt4_prefix}/examples/
 
 %changelog
+* Mon Nov 27 2023 hua_yadong<huayadong@kylinos.cn> - 1:4.8.7-58
+- Type:cves
+- ID:CVE-2023-43114
+- SUG:NA
+- DESC:fix CVE-2023-43114
+
 * Sat Nov 25 2023 hua_yadong<huayadong@kylinos.cn> - 1:4.8.7-57
 - Type:cves
 - ID:CVE-2023-37369
-- 
Gitee