Description: improve the Capella import
 Since the reporter of CVE-2023-44428 does not offer any
 information (testcases, reproducers or patches), attempt
 to improve the situation by plugging missing initialisation
 and other checks. Besides that, do not load untrusted files.
 .
 Endianness is also corrected.
Author: mirabilos <tg@debian.org>
Forwarded: no

--- a/mscore/capella.cpp
+++ b/mscore/capella.cpp
@@ -23,6 +23,7 @@
 //
 #include <assert.h>
 #include "libmscore/mscore.h"
+#include <QtEndian>
 #include "capella.h"
 #include "libmscore/score.h"
 #include "libmscore/part.h"
@@ -68,6 +69,7 @@ const char* Capella::errmsg[] = {
       "bad voice signature",
       "bad staff signature",
       "bad system signature",
+      "short read",
       };
 
 //---------------------------------------------------------
@@ -1918,15 +1920,14 @@ void ChordObj::read()
 //    return false on error
 //---------------------------------------------------------
 
-bool Capella::read(void* p, qint64 len)
+void Capella::read(void* p, qint64 len)
       {
       if (len == 0)
-            return true;
+            return;
       qint64 rv = f->read((char*)p, len);
       if (rv != len)
-            return false;
+            throw Capella::Error::SHORT_READ;
       curPos += len;
-      return true;
       }
 
 //---------------------------------------------------------
@@ -1957,9 +1958,9 @@ char Capella::readChar()
 
 short Capella::readWord()
       {
-      short c;
-      read(&c, 2);
-      return c;
+      uchar buf[sizeof(qint16)];
+      read(buf, sizeof(buf));
+      return qFromLittleEndian<qint16>(buf);
       }
 
 //---------------------------------------------------------
@@ -1968,9 +1969,9 @@ short Capella::readWord()
 
 int Capella::readDWord()
       {
-      int c;
-      read(&c, 4);
-      return c;
+      uchar buf[sizeof(qint32)];
+      read(buf, sizeof(buf));
+      return qFromLittleEndian<qint32>(buf);
       }
 
 //---------------------------------------------------------
@@ -1979,9 +1980,9 @@ int Capella::readDWord()
 
 int Capella::readLong()
       {
-      int c;
-      read(&c, 4);
-      return c;
+      uchar buf[sizeof(qint32)];
+      read(buf, sizeof(buf));
+      return qFromLittleEndian<qint32>(buf);
       }
 
 //---------------------------------------------------------
@@ -1993,14 +1994,14 @@ unsigned Capella::readUnsigned()
       unsigned char c;
       read(&c, 1);
       if (c == 254) {
-            unsigned short s;
-            read(&s, 2);
-            return s;
+            uchar buf[sizeof(quint16)];
+            read(buf, sizeof(buf));
+            return qFromLittleEndian<quint16>(buf);
             }
       else if (c == 255) {
-            unsigned s;
-            read(&s, 4);
-            return s;
+            uchar buf[sizeof(quint32)];
+            read(buf, sizeof(buf));
+            return qFromLittleEndian<quint32>(buf);
             }
       else
             return c;
@@ -2015,14 +2016,14 @@ int Capella::readInt()
       signed char c;
       read(&c, 1);
       if (c == -128) {
-            short s;
-            read(&s, 2);
-            return s;
+            uchar buf[sizeof(qint16)];
+            read(buf, sizeof(buf));
+            return qFromLittleEndian<qint16>(buf);
             }
       else if (c == 127) {
-            int s;
-            read(&s, 4);
-            return s;
+            uchar buf[sizeof(qint32)];
+            read(buf, sizeof(buf));
+            return qFromLittleEndian<qint32>(buf);
             }
       else
             return c;
@@ -2156,8 +2157,7 @@ void Capella::readStaveLayout(CapStaffLa
             default:
                   {
                   char lines[11];
-                  f->read(lines, 11);
-                  curPos += 11;
+                  read(lines, 11);
                   }
                   break;
             }
@@ -2190,16 +2190,14 @@ void Capella::readStaveLayout(CapStaffLa
             Q_UNUSED(iMin);
             uchar n    = readByte();
             Q_ASSERT (n > 0 and iMin + n <= 128);
-            f->read(sl->soundMapIn, n);
-            curPos += n;
+            read(sl->soundMapIn, n);
             }
       if (sl->bSoundMapOut) {     // Umleitungstabelle für das Vorspielen
             unsigned char iMin = readByte();
             Q_UNUSED(iMin);
             unsigned char n    = readByte();
             Q_ASSERT (n > 0 and iMin + n <= 128);
-            f->read(sl->soundMapOut, n);
-            curPos += n;
+            read(sl->soundMapOut, n);
             }
       sl->sound  = readInt();
       sl->volume = readInt();
--- a/mscore/capella.h
+++ b/mscore/capella.h
@@ -313,11 +313,13 @@ class MetafileObj : public BasicRectObj
 class LineObj : public BasicDrawObj {
 
    public:
-      LineObj(Capella* c) : BasicDrawObj(CapellaType::LINE, c) {}
-      LineObj(CapellaType t, Capella* c) : BasicDrawObj(t, c) {}
+      LineObj(Capella* c) : BasicDrawObj(CapellaType::LINE, c),
+           color(Qt::black), lineWidth(1) {}
+      LineObj(CapellaType t, Capella* c) : BasicDrawObj(t, c),
+           color(Qt::black), lineWidth(1) {}
       void read();
 
-      QPointF pt1, pt2;
+      QPointF pt1, pt2; // note default constructor inits to (0, 0)
       QColor color;
       char lineWidth;
       };
@@ -385,6 +387,7 @@ class VoltaObj : public BasicDrawObj {
    public:
       VoltaObj(Capella* c)
          : BasicDrawObj(CapellaType::VOLTA, c), x0(0), x1(0), y(0),
+           color(Qt::black),
            bLeft(false), bRight(false), bDotted(false),
            allNumbers(false), from(0), to(0) {}
       void read();
@@ -423,7 +426,7 @@ class GuitarObj : public BasicDrawObj {
 class TrillObj : public BasicDrawObj {
    public:
       TrillObj(Capella* c) : BasicDrawObj(CapellaType::TRILL, c), x0(0),
-           x1(0), y(0), trillSign(true) {}
+           x1(0), y(0), color(Qt::black), trillSign(true) {}
       void read();
       void readCapx(XmlReader& e);
 
@@ -682,7 +685,7 @@ class Capella {
 
    public:
       enum class Error : char { CAP_NO_ERROR, BAD_SIG, CAP_EOF, BAD_VOICE_SIG,
-            BAD_STAFF_SIG, BAD_SYSTEM_SIG
+            BAD_STAFF_SIG, BAD_SYSTEM_SIG, SHORT_READ
             };
 
       Capella();
@@ -702,7 +705,8 @@ class Capella {
       QString readQString();
       void readExtra();
       QList<BasicDrawObj*> readDrawObjectArray();
-      bool read(void* p, qint64 len);
+      // was bool, but nothing checked the return value, so it throws now
+      void read(void* p, qint64 len);
       QFont readFont();
       QPointF readPoint();
 
--- a/mscore/capxml.cpp
+++ b/mscore/capxml.cpp
@@ -304,7 +304,7 @@ void ChordObj::readCapx(XmlReader& e)
       while (e.readNextStartElement()) {
             const QStringRef& tag(e.name());
             if (tag == "duration") {
-                  unsigned int dummy;
+                  unsigned int dummy = 0;
                   BasicDurationalObj::readCapx(e, dummy);
                   }
             else if (tag == "display") {