Package: qt6-svg | Debian Sources

Package: qt6-svg / 6.9.2-5

Metadata

Package	Version	Patches format
qt6-svg	6.9.2-5	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
upstream_CVE 2025 10728.diff \| (download)	src/svg/qsvghandler.cpp \| 3 1 + 2 - 0 ! src/svg/qsvgstructure.cpp \| 8 8 + 0 - 0 ! src/svg/qsvgstructure_p.h \| 1 1 + 0 - 0 ! tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp \| 3 3 + 0 - 0 ! 4 files changed, 13 insertions(+), 2 deletions(-)	[patch] replace check for endless recursion when loading The old check parsed the tree of SvgNodes again and again which lead to quadratic complexity. Instead, set and check a bool where the recursion may actually happen which is faster and only has linear complexity. Partially reverts 0332df304f013ded362537c1f61556098b875352 I chose to have the check in QSvgPattern::renderPattern() because: - It not only appears in the recursive backtrace of the stack-overflow which was fixed using the qudratic check, but also in the backtrace of another, still unfixed stack overflow. That way, both can be fixed by the same patch. Credit to OSS-Fuzz for finding them. - The function already had some error checking and returns a default value when it cannot render the content. In the same way, I can return a QImage of the right size but without any content when the endless recursion is about to happen. [ChangeLog] Speed up loading by replacing check for cyclic elements [ChangeLog] Fix stack overflow when an element references its child element using url() Fixes: QTBUG-137553 Pick-to: 6.8

Patch

File delta

Description

upstream_CVE 2025 10728.diff | (download)

src/svg/qsvghandler.cpp | 3 1 + 2 - 0 !
src/svg/qsvgstructure.cpp | 8 8 + 0 - 0 !
src/svg/qsvgstructure_p.h | 1 1 + 0 - 0 !
tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp | 3 3 + 0 - 0 !
4 files changed, 13 insertions(+), 2 deletions(-)

 [patch] replace check for endless recursion when loading

The old check parsed the tree of SvgNodes again and again which lead to
quadratic complexity. Instead, set and check a bool where the recursion
may actually happen which is faster and only has linear complexity.

Partially reverts 0332df304f013ded362537c1f61556098b875352

I chose to have the check in QSvgPattern::renderPattern() because:

- It not only appears in the recursive backtrace of the stack-overflow
  which was fixed using the qudratic check, but also in the backtrace
  of another, still unfixed stack overflow. That way, both can be fixed
  by the same patch. Credit to OSS-Fuzz for finding them.
- The function already had some error checking and returns a default
  value when it cannot render the content. In the same way, I can return
  a QImage of the right size but without any content when the endless
  recursion is about to happen.

[ChangeLog] Speed up loading by replacing check for cyclic elements
[ChangeLog] Fix stack overflow when an element references its child
element using url()

Fixes: QTBUG-137553
Pick-to: 6.8