qt/qtsvg: apply CVE-2026-6210 patch (heap-overflow in QSvgMarker::drawHelper)

Cherry-picked from Qt upstream (commit e488f852fa18c2afc2842a88eff8f66ad4105a45).
Original patch source:
https://download.qt.io/official_releases/qt/6.11/CVE-2026-6210-qtsvg-6.11.diff

Fix: Test types of nodes before downcasting them. A bad cast in
QSvgMarker::drawHelper led to endless recursion resulting in a heap
overflow. While fixing that, another similar case was also fixed.
This commit is contained in:
2026-07-11 01:36:28 +03:00
parent 48021ef39c
commit 311a96bc94
25 changed files with 1326 additions and 946 deletions
+27 -39
View File
@@ -1,20 +1,18 @@
diff -ruw source/lib/cmpbuf.c source-new/lib/cmpbuf.c
--- source/lib/cmpbuf.c 2017-01-01 04:22:36.000000000 -0700
+++ source-new/lib/cmpbuf.c 2018-12-29 07:31:43.920193561 -0700
@@ -71,8 +71,8 @@
ancient AIX hosts that set errno to EINTR after uncaught
SIGCONT. See <news:1r77ojINN85n@ftp.UU.NET>
(1993-04-22). */
- if (! SA_RESTART && errno == EINTR)
- continue;
+ //if (! SA_RESTART && errno == EINTR)
+ // continue;
--- diffutils-3.12/lib/cmpbuf.c 2025-01-12 21:27:47.000000000 +0300
+++ diffutils-3.12-new/lib/cmpbuf.c 2026-07-11 01:26:55.996990194 +0300
@@ -84,8 +84,8 @@
ancient AIX hosts that set errno to EINTR after uncaught
SIGCONT. See <news:1r77ojINN85n@ftp.UU.NET>
(1993-04-22). */
- if (! SA_RESTART && errno == EINTR)
- continue;
+ /*if (! SA_RESTART && errno == EINTR)
+ continue;*/
return SIZE_MAX;
}
diff -ruw source/lib/getdtablesize.c source-new/lib/getdtablesize.c
--- source/lib/getdtablesize.c 2017-05-18 10:23:32.000000000 -0600
+++ source-new/lib/getdtablesize.c 2018-12-29 07:32:31.709586573 -0700
return -1;
}
--- diffutils-3.12/lib/getdtablesize.c 2025-01-02 05:33:12.000000000 +0300
+++ diffutils-3.12-new/lib/getdtablesize.c 2026-07-11 01:26:55.997027743 +0300
@@ -109,6 +109,7 @@
int
getdtablesize (void)
@@ -31,11 +29,10 @@ diff -ruw source/lib/getdtablesize.c source-new/lib/getdtablesize.c
return INT_MAX;
}
diff -ruw source/lib/getprogname.c source-new/lib/getprogname.c
--- source/lib/getprogname.c 2017-01-31 11:36:50.000000000 -0700
+++ source-new/lib/getprogname.c 2018-12-29 07:34:15.432575388 -0700
@@ -51,6 +51,14 @@
# include <sys/procfs.h>
--- diffutils-3.12/lib/getprogname.c 2025-01-02 05:33:12.000000000 +0300
+++ diffutils-3.12-new/lib/getprogname.c 2026-07-11 01:26:55.997103089 +0300
@@ -55,6 +55,14 @@
# include <string.h>
#endif
+#if defined(__redox__)
@@ -46,30 +43,29 @@ diff -ruw source/lib/getprogname.c source-new/lib/getprogname.c
+# include <limits.h>
+#endif
+
#include "dirname.h"
#include "basename-lgpl.h"
#ifndef HAVE_GETPROGNAME /* not Mac OS X, FreeBSD, NetBSD, OpenBSD >= 5.4, Cygwin */
@@ -177,6 +185,17 @@
}
#ifndef HAVE_GETPROGNAME /* not Mac OS X, FreeBSD, NetBSD, OpenBSD >= 5.4, Solaris >= 11, Cygwin, Android API level >= 21 */
@@ -297,6 +305,17 @@
close (fd);
}
return NULL;
return "?";
+# elif defined(__redox__)
+ char filename[PATH_MAX];
+ int fd = open ("sys:exe", O_RDONLY);
+ if (fd > 0) {
+ int len = read(fd, filename, PATH_MAX-1);
+ if (len > 0) {
+ filename[len] = '\0';
+ filename[len] = '\x00';
+ return strdup(filename);
+ }
+ }
+ return NULL;
+ return "?";
# else
# error "getprogname module not ported to this OS"
# endif
diff -ruw source/lib/sigprocmask.c source-new/lib/sigprocmask.c
--- source/lib/sigprocmask.c 2017-05-18 10:23:32.000000000 -0600
+++ source-new/lib/sigprocmask.c 2018-12-29 07:45:02.610557142 -0700
--- diffutils-3.12/lib/sigprocmask.c 2025-01-02 05:33:12.000000000 +0300
+++ diffutils-3.12-new/lib/sigprocmask.c 2026-07-11 01:26:55.997143937 +0300
@@ -126,6 +126,7 @@
return 0;
}
@@ -78,11 +74,3 @@ diff -ruw source/lib/sigprocmask.c source-new/lib/sigprocmask.c
int
sigemptyset (sigset_t *set)
{
@@ -180,6 +181,7 @@
*set = ((2U << (NSIG - 1)) - 1) & ~ SIGABRT_COMPAT_MASK;
return 0;
}
+#endif
/* Set of currently blocked signals. */
static volatile sigset_t blocked_set /* = 0 */;