!142 Fix CVE-2023-45935

From: @jackssir 
Reviewed-by: @peijiankang 
Signed-off-by: @peijiankang

CVE-2023-45935.patch

@@ -0,0 +1,31 @@
+From e876e91e829f6f0d6b9942ae4de80f8323f750ca Mon Sep 17 00:00:00 2001
+From: Liang Qi <liang.qi@qt.io>
+Date: 2023-07-31 05:35:11 +0200
+Subject: [PATCH] CVE-2023-45935
+
+port invokeMethodImpl() from QScopeGuard to SlotObjUniquePtr
+
+---
+ src/plugins/platforms/xcb/qxcbconnection.cpp | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/plugins/platforms/xcb/qxcbconnection.cpp b/src/plugins/platforms/xcb/qxcbconnection.cpp
+index 5fd1fc6a..2ec668a6 100644
+--- a/src/plugins/platforms/xcb/qxcbconnection.cpp
++++ b/src/plugins/platforms/xcb/qxcbconnection.cpp
+@@ -2051,8 +2051,10 @@ void QXcbConnection::initializeAllAtoms() {
+ 
+     for (i = 0; i < QXcbAtom::NAtoms; ++i) {
+         xcb_intern_atom_reply_t *reply = xcb_intern_atom_reply(xcb_connection(), cookies[i], 0);
+-        m_allAtoms[i] = reply->atom;
+-        free(reply);
++         if (reply) {
++            m_allAtoms[i] = reply->atom;
++            free(reply);
++        }        
+     }
+ }
+ 
+-- 
+2.27.0
+

qt5-qtbase.spec

@@ -13,7 +13,7 @@
 Name:             qt5-qtbase
 Summary:          Core component of Qt toolkit
 Version:          5.11.1
-Release:          17
+Release:          22
 License:          LGPLv2 with exceptions or GPLv3 with exceptions
 Url:              http://qt-project.org/
 Source0:          https://download.qt.io/new_archive/qt/5.11/%{version}/submodules/qtbase-everywhere-src-%{version}.tar.xz
@@ -51,6 +51,13 @@ Patch6008:        CVE-2023-32763.patch
 Patch6009:        CVE-2023-37369-pre.patch
 Patch6010:        CVE-2023-37369.patch
 Patch6011:        CVE-2023-33285.patch
+Patch6012:        qtbase5.11.1-CVE-2023-34410.patch
+#https://codereview.qt-project.org/c/qt/qtbase/+/488960
+Patch6013:        qtbase5.11.1-CVE-2023-38197.patch
+#https://codereview.qt-project.org/c/qt/qtbase/+/503026
+Patch6014:        qtbase5.11.1-CVE-2023-43114.patch
+Patch6015:        qtbase5.11.1-CVE-2023-51714.patch
+Patch6016:        CVE-2023-45935.patch
 
 BuildRequires:    pkgconfig(libsystemd) cups-devel desktop-file-utils findutils
 BuildRequires:    libjpeg-devel libmng-devel libtiff-devel pkgconfig(alsa)
@@ -418,6 +425,21 @@ fi
 
 
 %changelog
+* Wed Apr 24 2024 lvfei <lvfei@kylinos.cn> - 5.11.1-22
+- Fix CVE-2023-45935
+
+* Wed Jan 31 2024 douyan <douyan@kylinos.cn> - 5.11.1-21
+- add qtbase5.11.1-CVE-2023-51714.patch
+
+* Sat Nov 25 2023 hua_yadong <huayadong@kylinos.cn> - 5.11.1-20
+- Fix qtbase5.11.1-CVE-2023-43114.patch 
+
+* Fri Nov 24 2023 hua_yadong <huayadong@kylinos.cn> - 5.11.1-19
+- Fix qtbase5.11.1-CVE-2023-38197.patch 
+
+* Thu Nov 02 2023 peijiankang <peijiankang@kylinos.cn> - 5.11.1-18
+- Fix CVE-2023-34410
+
 * Wed Nov 01 2023 peijiankang <peijiankang@kylinos.cn> - 5.11.1-17
 - Fix CVE-2023-33285.patch
 

qtbase5.11.1-CVE-2023-34410.patch

@@ -0,0 +1,24 @@
+diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
+index 4273904c..8d064ba0 100644
+--- a/src/network/ssl/qsslsocket.cpp
++++ b/src/network/ssl/qsslsocket.cpp
+@@ -2053,6 +2053,10 @@ QSslSocketPrivate::QSslSocketPrivate()
+     , flushTriggered(false)
+ {
+     QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
++    // If the global configuration doesn't allow root certificates to be loaded
++    // on demand then we have to disable it for this socket as well.
++    if (!configuration.allowRootCertOnDemandLoading)
++        allowRootCertOnDemandLoading = false;
+ }
+ 
+ /*!
+@@ -2252,6 +2256,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri
+     ptr->sessionProtocol = global->sessionProtocol;
+     ptr->ciphers = global->ciphers;
+     ptr->caCertificates = global->caCertificates;
++    ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;
+     ptr->protocol = global->protocol;
+     ptr->peerVerifyMode = global->peerVerifyMode;
+     ptr->peerVerifyDepth = global->peerVerifyDepth;
+

qtbase5.11.1-CVE-2023-38197.patch

@@ -0,0 +1,366 @@
+From 6d909527f97c8a43085bcbdfc5c67a5425837c37 Mon Sep 17 00:00:00 2001
+From: hua_yadong <huayadong@kylinos.cn>
+Date: Fri, 24 Nov 2023 14:12:19 +0800
+Subject: [PATCH] qtbase5.11.1-CVE-2023-38197
+
+---
+ src/corelib/serialization/qxmlstream.cpp      | 139 +++++++++++++++++-
+ src/corelib/serialization/qxmlstream_p.h      |  11 ++
+ .../qxmlstream/tokenError/dtdInBody.xml       |  21 +++
+ .../qxmlstream/tokenError/multipleDtd.xml     |  21 +++
+ .../qxmlstream/tokenError/wellFormed.xml      |  16 ++
+ .../qxmlstream/tst_qxmlstream.cpp             |  39 +++++
+ 6 files changed, 239 insertions(+), 8 deletions(-)
+ create mode 100644 tests/auto/corelib/serialization/qxmlstream/tokenError/dtdInBody.xml
+ create mode 100644 tests/auto/corelib/serialization/qxmlstream/tokenError/multipleDtd.xml
+ create mode 100644 tests/auto/corelib/serialization/qxmlstream/tokenError/wellFormed.xml
+
+diff --git a/src/corelib/serialization/qxmlstream.cpp b/src/corelib/serialization/qxmlstream.cpp
+index 325a3436..e9fbbb4a 100644
+--- a/src/corelib/serialization/qxmlstream.cpp
++++ b/src/corelib/serialization/qxmlstream.cpp
+@@ -155,7 +155,7 @@ enum { StreamEOF = ~0U };
+     addData() or by waiting for it to arrive on the device().
+ 
+     \value UnexpectedElementError The parser encountered an element
+-    that was different to those it expected.
++    or token that was different to those it expected.
+ 
+ */
+ 
+@@ -292,13 +292,34 @@ QXmlStreamEntityResolver *QXmlStreamReader::entityResolver() const
+ 
+   QXmlStreamReader is a well-formed XML 1.0 parser that does \e not
+   include external parsed entities. As long as no error occurs, the
+-  application code can thus be assured that the data provided by the
+-  stream reader satisfies the W3C's criteria for well-formed XML. For
+-  example, you can be certain that all tags are indeed nested and
+-  closed properly, that references to internal entities have been
+-  replaced with the correct replacement text, and that attributes have
+-  been normalized or added according to the internal subset of the
+-  DTD.
++  application code can thus be assured, that
++  \list
++  \li the data provided by the stream reader satisfies the W3C's
++      criteria for well-formed XML,
++  \li tokens are provided in a valid order.
++  \endlist
++
++  Unless QXmlStreamReader raises an error, it guarantees the following:
++  \list
++  \li All tags are nested and closed properly.
++  \li References to internal entities have been replaced with the
++      correct replacement text.
++  \li Attributes have been normalized or added according to the
++      internal subset of the \l DTD.
++  \li Tokens of type \l StartDocument happen before all others,
++      aside from comments and processing instructions.
++  \li At most one DOCTYPE element (a token of type \l DTD) is present.
++  \li If present, the DOCTYPE appears before all other elements,
++      aside from StartDocument, comments and processing instructions.
++  \endlist
++
++  In particular, once any token of type \l StartElement, \l EndElement,
++  \l Characters, \l EntityReference or \l EndDocument is seen, no
++  tokens of type StartDocument or DTD will be seen. If one is present in
++  the input stream, out of order, an error is raised.
++
++  \note The token types \l Comment and \l ProcessingInstruction may appear
++  anywhere in the stream.
+ 
+   If an error occurs while parsing, atEnd() and hasError() return
+   true, and error() returns the error that occurred. The functions
+@@ -617,6 +638,7 @@ QXmlStreamReader::TokenType QXmlStreamReader::readNext()
+         d->token = -1;
+         return readNext();
+     }
++    d->checkToken();
+     return d->type;
+ }
+ 
+@@ -736,6 +758,9 @@ static const short QXmlStreamReader_tokenTypeString_indices[] = {
+     0, 8, 16, 30, 42, 55, 66, 77, 85, 89, 105, 0
+ };
+ 
++static const char QXmlStreamReader_XmlContextString[] = 
++    "Prolog\0"
++    "Body\0";
+ 
+ /*!
+     \property  QXmlStreamReader::namespaceProcessing
+@@ -772,6 +797,16 @@ QString QXmlStreamReader::tokenString() const
+                          QXmlStreamReader_tokenTypeString_indices[d->type]);
+ }
+ 
++/*!
++   \internal
++   \return \param loc (Prolog/Body) as a string.
++ */
++static const QLatin1String contextString(QXmlStreamReaderPrivate::XmlContext ctxt)
++{
++    return QLatin1String(QXmlStreamReader_XmlContextString +
++                         QXmlStreamReader_XmlContextString[static_cast<int>(ctxt)]);
++}
++
+ #endif // QT_NO_XMLSTREAMREADER
+ 
+ QXmlStreamPrivateTagStack::QXmlStreamPrivateTagStack()
+@@ -863,6 +898,8 @@ void QXmlStreamReaderPrivate::init()
+ 
+     type = QXmlStreamReader::NoToken;
+     error = QXmlStreamReader::NoError;
++    currentContext = XmlContext::Prolog;
++    foundDTD = false;
+ }
+ 
+ /*
+@@ -4046,6 +4083,92 @@ void QXmlStreamWriter::writeCurrentToken(const QXmlStreamReader &reader)
+     }
+ }
+ 
++static bool isTokenAllowedInContext(QXmlStreamReader::TokenType type,
++                                               QXmlStreamReaderPrivate::XmlContext loc)
++{
++    switch (type) {
++    case QXmlStreamReader::StartDocument:
++    case QXmlStreamReader::DTD:
++        return loc == QXmlStreamReaderPrivate::XmlContext::Prolog;
++
++    case QXmlStreamReader::StartElement:
++    case QXmlStreamReader::EndElement:
++    case QXmlStreamReader::Characters:
++    case QXmlStreamReader::EntityReference:
++    case QXmlStreamReader::EndDocument:
++        return loc == QXmlStreamReaderPrivate::XmlContext::Body;
++
++    case QXmlStreamReader::Comment:
++    case QXmlStreamReader::ProcessingInstruction:
++        return true;
++
++    case QXmlStreamReader::NoToken:
++    case QXmlStreamReader::Invalid:
++        return false;
++    }
++
++    return false;
++}
++
++/*!
++   \internal
++   \brief QXmlStreamReader::isValidToken
++   \return \c true if \param type is a valid token type.
++   \return \c false if \param type is an unexpected token,
++   which indicates a non-well-formed or invalid XML stream.
++ */
++bool QXmlStreamReaderPrivate::isValidToken(QXmlStreamReader::TokenType type)
++{
++    // Don't change currentContext, if Invalid or NoToken occur in the prolog
++    if (type == QXmlStreamReader::Invalid || type == QXmlStreamReader::NoToken)
++        return false;
++
++    // If a token type gets rejected in the body, there is no recovery
++    const bool result = isTokenAllowedInContext(type, currentContext);
++    if (result || currentContext == XmlContext::Body)
++        return result;
++
++    // First non-Prolog token observed => switch context to body and check again.
++    currentContext = XmlContext::Body;
++    return isTokenAllowedInContext(type, currentContext);
++}
++
++/*!
++   \internal
++   Checks token type and raises an error, if it is invalid
++   in the current context (prolog/body).
++ */
++void QXmlStreamReaderPrivate::checkToken()
++{
++    Q_Q(QXmlStreamReader);
++
++    // The token type must be consumed, to keep track if the body has been reached.
++    const XmlContext context = currentContext;
++    const bool ok = isValidToken(type);
++
++    // Do nothing if an error has been raised already (going along with an unexpected token)
++    if (error != QXmlStreamReader::Error::NoError)
++        return;
++
++    if (!ok) {
++        raiseError(QXmlStreamReader::UnexpectedElementError,
++                   QStringLiteral("Unexpected token type %1 in %2.")
++                   .arg(q->tokenString(), contextString(context)));
++        return;
++    }
++
++    if (type != QXmlStreamReader::DTD)
++        return;
++
++    // Raise error on multiple DTD tokens
++    if (foundDTD) {
++        raiseError(QXmlStreamReader::UnexpectedElementError,
++                   QStringLiteral("Found second DTD token in %1.").arg(contextString(context)));
++    } else {
++        foundDTD = true;
++    }
++}
++
+ /*!
+  \fn bool QXmlStreamAttributes::hasAttribute(const QString &qualifiedName) const
+  \since 4.5
+diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h
+index 60ba2175..e15ddc35 100644
+--- a/src/corelib/serialization/qxmlstream_p.h
++++ b/src/corelib/serialization/qxmlstream_p.h
+@@ -804,6 +804,17 @@ public:
+ #endif
+     bool atEnd;
+ 
++    enum class XmlContext
++    {
++        Prolog,
++        Body,
++    };
++
++    XmlContext currentContext = XmlContext::Prolog;
++    bool foundDTD = false;
++    bool isValidToken(QXmlStreamReader::TokenType type);
++    void checkToken();
++
+     /*!
+       \sa setType()
+      */
+diff --git a/tests/auto/corelib/serialization/qxmlstream/tokenError/dtdInBody.xml b/tests/auto/corelib/serialization/qxmlstream/tokenError/dtdInBody.xml
+new file mode 100644
+index 00000000..68ef2962
+--- /dev/null
++++ b/tests/auto/corelib/serialization/qxmlstream/tokenError/dtdInBody.xml
+@@ -0,0 +1,21 @@
++<!DOCTYPE TEST [
++   <!ELEMENT TESTATTRIBUTE (CASE+)>
++   <!ELEMENT CASE (CLASS, FUNCTION)>
++   <!ELEMENT CLASS (#PCDATA)>
++
++   <!-- adding random ENTITY statement, as this is typical DTD content -->
++   <!ENTITY unite "&#x222a;">
++
++   <!ATTLIST CASE CLASS CDATA #REQUIRED>
++]>
++<TEST>
++  <CASE>
++    <CLASS>tst_QXmlStream</CLASS>
++  </CASE>
++  <!-- invalid DTD in XML body follows -->
++  <!DOCTYPE DTDTEST [
++    <!ELEMENT RESULT (CASE+)>
++    <!ATTLIST RESULT OUTPUT CDATA #REQUIRED>
++  ]>
++</TEST>
++
+diff --git a/tests/auto/corelib/serialization/qxmlstream/tokenError/multipleDtd.xml b/tests/auto/corelib/serialization/qxmlstream/tokenError/multipleDtd.xml
+new file mode 100644
+index 00000000..1dbe75c4
+--- /dev/null
++++ b/tests/auto/corelib/serialization/qxmlstream/tokenError/multipleDtd.xml
+@@ -0,0 +1,21 @@
++<!DOCTYPE TEST [
++   <!ELEMENT TESTATTRIBUTE (CASE+)>
++   <!ELEMENT CASE (CLASS, FUNCTION, DATASET, COMMENTS)>
++   <!ELEMENT CLASS (#PCDATA)>
++
++   <!-- adding random ENTITY statements, as this is typical DTD content -->
++   <!ENTITY iff "&hArr;">
++
++   <!ATTLIST CASE CLASS CDATA #REQUIRED>
++]>
++<!-- invalid second DTD follows -->
++<!DOCTYPE SECOND [
++   <!ELEMENT SECONDATTRIBUTE (#PCDATA)>
++   <!ENTITY on "&#8728;">
++]>
++<TEST>
++  <CASE>
++    <CLASS>tst_QXmlStream</CLASS>
++  </CASE>
++</TEST>
++
+diff --git a/tests/auto/corelib/serialization/qxmlstream/tokenError/wellFormed.xml b/tests/auto/corelib/serialization/qxmlstream/tokenError/wellFormed.xml
+new file mode 100644
+index 00000000..9dfbc0f9
+--- /dev/null
++++ b/tests/auto/corelib/serialization/qxmlstream/tokenError/wellFormed.xml
+@@ -0,0 +1,16 @@
++<!DOCTYPE TEST [
++   <!ELEMENT TESTATTRIBUTE (CASE+)>
++   <!ELEMENT CASE (CLASS, FUNCTION, DATASET, COMMENTS)>
++   <!ELEMENT CLASS (#PCDATA)>
++
++   <!-- adding random ENTITY statements, as this is typical DTD content -->
++   <!ENTITY unite "&#x222a;">
++
++   <!ATTLIST CASE CLASS CDATA #REQUIRED>
++]>
++<TEST>
++  <CASE>
++    <CLASS>tst_QXmlStream</CLASS>
++  </CASE>
++</TEST>
++
+diff --git a/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp b/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp
+index 16a4200b..1f633b6d 100644
+--- a/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp
++++ b/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp
+@@ -578,6 +578,9 @@ private slots:
+     void hasError() const;
+     void readBack() const;
+ 
++    void tokenErrorHandling_data() const;
++    void tokenErrorHandling() const;
++
+ private:
+     static QByteArray readFile(const QString &filename);
+ 
+@@ -1741,5 +1744,41 @@ void tst_QXmlStream::readBack() const
+     }
+ }
+ 
++void tst_QXmlStream::tokenErrorHandling_data() const
++{
++    QTest::addColumn<QString>("fileName");
++    QTest::addColumn<QXmlStreamReader::Error>("expectedError");
++    QTest::addColumn<QString>("errorKeyWord");
++
++    constexpr auto invalid = QXmlStreamReader::Error::UnexpectedElementError;
++    constexpr auto valid = QXmlStreamReader::Error::NoError;
++    QTest::newRow("DtdInBody") << "dtdInBody.xml" << invalid << "DTD";
++    QTest::newRow("multipleDTD") << "multipleDtd.xml" << invalid << "second DTD";
++    QTest::newRow("wellFormed") << "wellFormed.xml" << valid << "";
++}
++
++void tst_QXmlStream::tokenErrorHandling() const
++{
++    QFETCH(const QString, fileName);
++    QFETCH(const QXmlStreamReader::Error, expectedError);
++    QFETCH(const QString, errorKeyWord);
++
++    const QDir dir(QFINDTESTDATA("tokenError"));
++    QFile file(dir.absoluteFilePath(fileName));
++
++    // Cross-compiling: File will be on host only
++    if (!file.exists())
++        QSKIP("Testfile not found.");
++
++    file.open(QIODevice::ReadOnly);
++    QXmlStreamReader reader(&file);
++    while (!reader.atEnd())
++        reader.readNext();
++
++    QCOMPARE(reader.error(), expectedError);
++    if (expectedError != QXmlStreamReader::Error::NoError)
++        QVERIFY(reader.errorString().contains(errorKeyWord));
++}
++
+ #include "tst_qxmlstream.moc"
+ // vim: et:ts=4:sw=4:sts=4
+-- 
+2.41.0
+

qtbase5.11.1-CVE-2023-43114.patch

@@ -0,0 +1,129 @@
+From 20eb208612f2ea3601151a058bcfa743ab9ff3ac Mon Sep 17 00:00:00 2001
+From: hua_yadong <huayadong@kylinos.cn>
+Date: Sat, 25 Nov 2023 11:43:09 +0800
+Subject: [PATCH] qtbase5.11.1-CVE-2023-43114
+
+---
+ .../windows/qwindowsfontdatabase.cpp          | 67 ++++++++++++++-----
+ 1 file changed, 51 insertions(+), 16 deletions(-)
+
+diff --git a/src/platformsupport/fontdatabases/windows/qwindowsfontdatabase.cpp b/src/platformsupport/fontdatabases/windows/qwindowsfontdatabase.cpp
+index aab1ab98..a541326a 100644
+--- a/src/platformsupport/fontdatabases/windows/qwindowsfontdatabase.cpp
++++ b/src/platformsupport/fontdatabases/windows/qwindowsfontdatabase.cpp
+@@ -1463,36 +1463,70 @@ QT_WARNING_POP
+     return fontEngine;
+ }
+ 
+-static QList<quint32> getTrueTypeFontOffsets(const uchar *fontData)
++static QList<quint32> getTrueTypeFontOffsets(const uchar *fontData, const uchar *fileEndSentinel)
+ {
+     QList<quint32> offsets;
+-    const quint32 headerTag = *reinterpret_cast<const quint32 *>(fontData);
++    if (fileEndSentinel - fontData < 12) {
++        qCWarning(lcQpaFonts) << "Corrupted font data detected";
++        return offsets;
++    }
++
++    const quint32 headerTag = qFromUnaligned<quint32>(fontData);
+     if (headerTag != MAKE_TAG('t', 't', 'c', 'f')) {
+         if (headerTag != MAKE_TAG(0, 1, 0, 0)
+             && headerTag != MAKE_TAG('O', 'T', 'T', 'O')
+             && headerTag != MAKE_TAG('t', 'r', 'u', 'e')
+-            && headerTag != MAKE_TAG('t', 'y', 'p', '1'))
++            && headerTag != MAKE_TAG('t', 'y', 'p', '1')) {
+             return offsets;
++        }
+         offsets << 0;
+         return offsets;
+     }
++
++    const quint32 maximumNumFonts = 0xffff;
+     const quint32 numFonts = qFromBigEndian<quint32>(fontData + 8);
+-    for (uint i = 0; i < numFonts; ++i) {
+-        offsets << qFromBigEndian<quint32>(fontData + 12 + i * 4);
++    if (numFonts > maximumNumFonts) {
++        qCWarning(lcQpaFonts) << "Font collection of" << numFonts << "fonts is too large. Aborting.";
++        return offsets;
+     }
++
++    if (quintptr(fileEndSentinel - fontData) > 12 + (numFonts - 1) * 4) {
++        for (quint32 i = 0; i < numFonts; ++i)
++            offsets << qFromBigEndian<quint32>(fontData + 12 + i * 4);
++    } else {
++        qCWarning(lcQpaFonts) << "Corrupted font data detected";
++    }
++
+     return offsets;
+ }
+ 
+-static void getFontTable(const uchar *fileBegin, const uchar *data, quint32 tag, const uchar **table, quint32 *length)
++static void getFontTable(const uchar *fileBegin, const uchar *fileEndSentinel, const uchar *data, quint32 tag, const uchar **table, quint32 *length)
+ {
+-    const quint16 numTables = qFromBigEndian<quint16>(data + 4);
+-    for (uint i = 0; i < numTables; ++i) {
+-        const quint32 offset = 12 + 16 * i;
+-        if (*reinterpret_cast<const quint32 *>(data + offset) == tag) {
+-            *table = fileBegin + qFromBigEndian<quint32>(data + offset + 8);
+-            *length = qFromBigEndian<quint32>(data + offset + 12);
+-            return;
++    if (fileEndSentinel - data >= 6) {
++        const quint16 numTables = qFromBigEndian<quint16>(data + 4);
++        if (fileEndSentinel - data >= 28 + 16 * (numTables - 1)) {
++            for (quint32 i = 0; i < numTables; ++i) {
++                const quint32 offset = 12 + 16 * i;
++                if (qFromUnaligned<quint32>(data + offset) == tag) {
++                    const quint32 tableOffset = qFromBigEndian<quint32>(data + offset + 8);
++                    if (quintptr(fileEndSentinel - fileBegin) <= tableOffset) {
++                        qCWarning(lcQpaFonts) << "Corrupted font data detected";
++                        break;
++                    }
++                    *table = fileBegin + tableOffset;
++                    *length = qFromBigEndian<quint32>(data + offset + 12);
++                    if (quintptr(fileEndSentinel - *table) < *length) {
++                        qCWarning(lcQpaFonts) << "Corrupted font data detected";
++                        break;
++                    }
++                    return;
++                }
++            }
++        } else {
++            qCWarning(lcQpaFonts) << "Corrupted font data detected";
+         }
++    } else {
++        qCWarning(lcQpaFonts) << "Corrupted font data detected";
+     }
+     *table = 0;
+     *length = 0;
+@@ -1504,8 +1538,9 @@ static void getFamiliesAndSignatures(const QByteArray &fontData,
+                                      QVector<FONTSIGNATURE> *signatures)
+ {
+     const uchar *data = reinterpret_cast<const uchar *>(fontData.constData());
++    const uchar *dataEndSentinel = data + fontData.size();
+ 
+-    QList<quint32> offsets = getTrueTypeFontOffsets(data);
++    QList<quint32> offsets = getTrueTypeFontOffsets(data, dataEndSentinel);
+     if (offsets.isEmpty())
+         return;
+ 
+@@ -1513,7 +1548,7 @@ static void getFamiliesAndSignatures(const QByteArray &fontData,
+         const uchar *font = data + offsets.at(i);
+         const uchar *table;
+         quint32 length;
+-        getFontTable(data, font, MAKE_TAG('n', 'a', 'm', 'e'), &table, &length);
++        getFontTable(data, dataEndSentinel, font, MAKE_TAG('n', 'a', 'm', 'e'), &table, &length);
+         if (!table)
+             continue;
+         FontNames names = qt_getCanonicalFontNames(table, length);
+@@ -1524,7 +1559,7 @@ static void getFamiliesAndSignatures(const QByteArray &fontData,
+ 
+         if (signatures) {
+             FONTSIGNATURE signature;
+-            getFontTable(data, font, MAKE_TAG('O', 'S', '/', '2'), &table, &length);
++            getFontTable(data, dataEndSentinel, font, MAKE_TAG('O', 'S', '/', '2'), &table, &length);
+             if (table && length >= 86) {
+                 // Offsets taken from OS/2 table in the TrueType spec
+                 signature.fsUsb[0] = qFromBigEndian<quint32>(table + 42);
+-- 
+2.41.0
+

qtbase5.11.1-CVE-2023-51714.patch

@@ -0,0 +1,38 @@
+From 7743b020c54b4ac7152be1305ad61c6a8fdc604d Mon Sep 17 00:00:00 2001
+From: peijiankang <peijiankang@kylinos.cn>
+Date: Wed, 31 Jan 2024 13:43:57 +0800
+Subject: [PATCH] qtbase5.11.1-CVE-2023-51714
+
+---
+ src/network/access/http2/hpacktable.cpp | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/network/access/http2/hpacktable.cpp b/src/network/access/http2/hpacktable.cpp
+index a90ee72d..4f452ad0 100644
+--- a/src/network/access/http2/hpacktable.cpp
++++ b/src/network/access/http2/hpacktable.cpp
+@@ -40,6 +40,7 @@
+ #include "hpacktable_p.h"
+ 
+ #include <QtCore/qdebug.h>
++#include <QtCore/private/qnumeric_p.h>
+ 
+ #include <algorithm>
+ #include <cstring>
+@@ -60,9 +61,10 @@ HeaderSize entry_size(const QByteArray &name, const QByteArray &value)
+     // to reference the name and the value of the entry and two 64-bit integers
+     // for counting the number of references to the name and value would have
+     // 32 octets of overhead."
+-
+-    const unsigned sum = unsigned(name.size()) + value.size();
+-    if (std::numeric_limits<unsigned>::max() - 32 < sum)
++    size_t sum;
++    if (add_overflow(size_t(name.size()), size_t(value.size()), &sum))
++        return HeaderSize();
++    if (sum > (std::numeric_limits<unsigned>::max() - 32))
+         return HeaderSize();
+     return HeaderSize(true, quint32(sum + 32));
+ }
+-- 
+2.41.0
+