From 5abcc9f9e41a2373acd8f65662709992ecb92b92 Mon Sep 17 00:00:00 2001 From: zhaoshun Date: Wed, 27 Aug 2025 17:42:30 +0800 Subject: [PATCH] Fix CVE-2025-0436 --- CVE-2025-0436.patch | 58 ++++++++++++++++++++++++++++++++++++++++++++ qt5-qtwebengine.spec | 10 +++++++- 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 CVE-2025-0436.patch diff --git a/CVE-2025-0436.patch b/CVE-2025-0436.patch new file mode 100644 index 0000000..0a6fffb --- /dev/null +++ b/CVE-2025-0436.patch @@ -0,0 +1,58 @@ +From 71ac0d61af2af32abf95a8ff31d243f72240916b Mon Sep 17 00:00:00 2001 +From: zhaoshun +Date: Tue, 29 Jul 2025 17:32:08 +0800 +Subject: [PATCH] CVE-2025-0436 + +--- + .../src/gpu/ops/GrAAHairLinePathRenderer.cpp | 23 +++++++++++++++---- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/src/3rdparty/chromium/third_party/skia/src/gpu/ops/GrAAHairLinePathRenderer.cpp b/src/3rdparty/chromium/third_party/skia/src/gpu/ops/GrAAHairLinePathRenderer.cpp +index c4ae781..a91eaac 100644 +--- a/src/3rdparty/chromium/third_party/skia/src/gpu/ops/GrAAHairLinePathRenderer.cpp ++++ b/src/3rdparty/chromium/third_party/skia/src/gpu/ops/GrAAHairLinePathRenderer.cpp +@@ -11,6 +11,7 @@ + #include "src/core/SkMatrixPriv.h" + #include "src/core/SkPointPriv.h" + #include "src/core/SkRectPriv.h" ++#include "src/core/SkSafeMath.h" + #include "src/core/SkStroke.h" + #include "src/gpu/GrAuditTrail.h" + #include "src/gpu/GrBuffer.h" +@@ -1189,16 +1190,28 @@ void AAHairlineOp::onPrepareDraws(Target* target) { + + int instanceCount = fPaths.count(); + bool convertConicsToQuads = !target->caps().shaderCaps()->floatIs32Bits(); +- for (int i = 0; i < instanceCount; i++) { ++ SkSafeMath safeMath; ++ for (int i = 0; i < instanceCount && safeMath.ok(); i++) { + const PathData& args = fPaths[i]; +- quadCount += gather_lines_and_quads(args.fPath, args.fViewMatrix, args.fDevClipBounds, +- args.fCapLength, convertConicsToQuads, &lines, &quads, +- &conics, &qSubdivs, &cWeights); ++ quadCount = safeMath.addInt(quadCount, ++ gather_lines_and_quads(args.fPath, ++ args.fViewMatrix, ++ args.fDevClipBounds, ++ args.fCapLength, ++ convertConicsToQuads, ++ &lines, ++ &quads, ++ &conics, ++ &qSubdivs, ++ &cWeights)); + } + + int lineCount = lines.count() / 2; + int conicCount = conics.count() / 3; +- int quadAndConicCount = conicCount + quadCount; ++ int quadAndConicCount = safeMath.addInt(conicCount, quadCount); ++ if (!safeMath.ok()) { ++ return; ++ } + + static constexpr int kMaxLines = SK_MaxS32 / kLineSegNumVertices; + static constexpr int kMaxQuadsAndConics = SK_MaxS32 / kQuadNumVertices; +-- +2.43.5 + diff --git a/qt5-qtwebengine.spec b/qt5-qtwebengine.spec index 770e788..c8eca20 100644 --- a/qt5-qtwebengine.spec +++ b/qt5-qtwebengine.spec @@ -52,7 +52,7 @@ Summary: Qt5 - QtWebEngine components Name: qt5-qtwebengine Version: 5.15.10 -Release: 6 +Release: 7 # See LICENSE.GPL LICENSE.LGPL LGPL_EXCEPTION.txt, for details # See also http://qt-project.org/doc/qt-5.0/qtdoc/licensing.html @@ -123,6 +123,10 @@ Patch53: fix-build-tools-to-run-with-python3.11.patch # bit-field.h:43:29: error: integer value 7 is outside the valid range of values [0, 3] for the enumeration type 'Kind' Patch54: fix-qt5-qtwebengine-build-with-clang-17.patch +# chromium patches +# from https://code.qt.io/cgit/qt/qtwebengine-chromium.git/commit/?h=87-based&id=8882ed795a3dc6b489982f6d6869e5c22d3703ea +Patch55: CVE-2025-0436.patch + %ifarch riscv64 # riscv64 support patch from Arch Linux Patch1000: riscv-v8.patch @@ -440,6 +444,7 @@ popd %patch52 -p1 -b .chromium-python3 %patch53 -p1 -b .fix-build-tools-to-run-with-python3.11 %patch54 -p1 -b .fix-qt5-qtwebengine-build-with-clang-17 +%patch55 -p1 %ifarch riscv64 %patch1000 -p1 -b .riscv-v8 @@ -665,6 +670,9 @@ done %changelog +* Wed Aug 13 2025 Shun Zhao - 5.15.10-7 +- Fix CVE-2025-0436 + * Wed Apr 03 2024 misaka00251 - 5.15.10-6 - Migrate python 2 to python 3 & Fix build on riscv64 -- Gitee