src/plugins/platforms/xcb/qxcbconnection_screens.cpp | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 avoid use-after-free in qxcbconnection::initializescreens()

src/network/access/qnetworkreplyhttpimpl.cpp | 12 11 + 1 - 0 !
1 file changed, 11 insertions(+), 1 deletion(-)

 qnam: work around qobject finicky orphan cleanup details

src/corelib/global/qendian.h | 2 2 + 0 - 0 !
src/corelib/global/qfloat16.h | 1 1 + 0 - 0 !
src/corelib/text/qbytearraymatcher.h | 2 2 + 0 - 0 !
3 files changed, 5 insertions(+)

 include <limits> to fix some gcc 11 build issues

src/corelib/io/qiodevice.cpp | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 fix allocated memory of qbytearray returned by qiodevice::readline

src/corelib/mimetypes/qmimedatabase.cpp | 11 7 + 4 - 0 !
src/corelib/mimetypes/qmimeglobpattern.cpp | 5 4 + 1 - 0 !
2 files changed, 11 insertions(+), 5 deletions(-)

 adjust qmimedatabase implementation
 When multiple globs match, and the result from magic sniffing is
 unrelated to any of those globs, globs have priority and one of them
 should be picked up.

src/widgets/kernel/qgridlayout.cpp | 6 3 + 3 - 0 !
tests/auto/widgets/kernel/qgridlayout/tst_qgridlayout.cpp | 51 51 + 0 - 0 !
2 files changed, 54 insertions(+), 3 deletions(-)

 [patch] fix invalid pointer return with qgridlayout::itemat(-1)

QGridLayout::takeAt() and QLayoutItem *itemAt() only check the upper bound.
If the index < 0, these function will return invalid pointer.

Fixes: QTBUG-91261
Pick-to: 5.15 6.0 6.1

src/gui/util/qktxhandler.cpp | 138 109 + 29 - 0 !
src/gui/util/qktxhandler_p.h | 2 1 + 1 - 0 !
2 files changed, 110 insertions(+), 30 deletions(-)

---

src/gui/painting/qfixed_p.h | 9 9 + 0 - 0 !
src/gui/text/qtextlayout.cpp | 9 6 + 3 - 0 !
2 files changed, 15 insertions(+), 3 deletions(-)

 fix buffer overflow in qt svg
 Adds qAddOverflow and qMulOverflow definitions to QFixed.

src/corelib/io/qprocess_unix.cpp | 28 15 + 13 - 0 !
tests/auto/widgets/kernel/qapplication/tst_qapplication.cpp | 4 2 + 2 - 0 !
2 files changed, 17 insertions(+), 15 deletions(-)

 qprocess: ensure we don't accidentally execute something from cwd
 Unless "." (or the empty string) is in $PATH, we're not supposed to find
 executables in the current directory. This is how the Unix shells behave
 and we match their behavior. It's also the behavior Qt had prior to 5.9
 (commit 28666d167aa8e602c0bea25ebc4d51b55005db13). On Windows, searching
 the current directory is the norm, so we keep that behavior.
 .
 This commit does not add an explicit check for an empty return from
 QStandardPaths::findExecutable(). Instead, we allow that empty string to
 go all the way to execve(2), which will fail with ENOENT. We could catch
 it early, before fork(2), but why add code for the error case?
 .
 See https://kde.org/info/security/advisory-20220131-1.txt

src/plugins/sqldrivers/odbc/qsql_odbc.cpp | 206 118 + 88 - 0 !
1 file changed, 118 insertions(+), 88 deletions(-)

 fix denial-of-service in qt sql odbc driver plugin

src/plugins/sqldrivers/odbc/qsql_odbc.cpp | 1 0 + 1 - 0 !
1 file changed, 1 deletion(-)

 qsql/odbc: fix regression (trailing nul)
 When we fixed the callers of toSQLTCHAR() to use the result's size()

src/plugins/sqldrivers/odbc/qsql_odbc.cpp | 13 12 + 1 - 0 !
1 file changed, 12 insertions(+), 1 deletion(-)

 sql/odbc: add another check to detect unicode availability in driver
 Since ODBC does not have a direct way finding out if unicode is
 supported by the underlying driver the ODBC plugin does some checks. As
 a last resort a sql statement is executed which returns a string. But
 even this may fail because the select statement has no FROM part which
 is rejected by at least Oracle does not allow. Therefore add another
 query which is correct for Oracle & DB2 as a workaround. The question
 why the first three statements to check for unicode availability fail
 is still open but can't be checked since I've no access to an oracle
 database.

src/network/access/qhsts.cpp | 4 2 + 2 - 0 !
tests/auto/network/access/hsts/tst_qhsts.cpp | 6 6 + 0 - 0 !
2 files changed, 8 insertions(+), 2 deletions(-)

---

src/network/access/http2/hpacktable.cpp | 7 5 + 2 - 0 !
1 file changed, 5 insertions(+), 2 deletions(-)

 [patch] hpack: fix incorrect integer overflow check

This code never worked:

For the comparison with max() - 32 to trigger, on 32-bit platforms (or
Qt 5) signed interger overflow would have had to happen in the
addition of the two sizes. The compiler can therefore remove the
overflow check as dead code.

On Qt 6 and 64-bit platforms, the signed integer addition would be
very unlikely to overflow, but the following truncation to uint32
would yield the correct result only in a narrow 32-value window just
below UINT_MAX, if even that.

Fix by using the proper tool, qAddOverflow.

Manual conflict resolutions:
 - qAddOverflow doesn't exist in Qt 5, use private add_overflow
   predecessor API instead

src/corelib/serialization/qxmlstream.cpp | 40 28 + 12 - 0 !
src/corelib/serialization/qxmlstream.g | 25 22 + 3 - 0 !
src/corelib/serialization/qxmlstream_p.h | 25 22 + 3 - 0 !
3 files changed, 72 insertions(+), 18 deletions(-)

---

src/corelib/serialization/qxmlstream.cpp | 144 136 + 8 - 0 !
src/corelib/serialization/qxmlstream_p.h | 11 11 + 0 - 0 !
2 files changed, 147 insertions(+), 8 deletions(-)

---

src/network/ssl/qsslsocket.cpp | 5 5 + 0 - 0 !
src/network/ssl/qsslsocket_schannel.cpp | 22 22 + 0 - 0 !
2 files changed, 27 insertions(+)

---

src/network/kernel/qdnslookup_unix.cpp | 31 25 + 6 - 0 !
1 file changed, 25 insertions(+), 6 deletions(-)

 qdnslookup/unix: make sure we don't overflow the buffer
 The DNS Records are variable length and encode their size in 16 bits
 before the Record Data (RDATA). Ensure that both the RDATA and the
 Record header fields before it fall inside the buffer we have.
 .
 Additionally reject any replies containing more than one query records.

mkspecs/features/qt_functions.prf | 2 2 + 0 - 0 !
mkspecs/gnukfreebsd-g++/qmake.conf | 54 54 + 0 - 0 !
mkspecs/gnukfreebsd-g++/qplatformdefs.h | 84 84 + 0 - 0 !
3 files changed, 140 insertions(+)

 initial gnu/kfreebsd support
 - add a gnukfreebsd-g++ qmake mkspec, mostly copied from the hurd-g++ one
 - properly use LD_LIBRARY_PATH on GNU/* systems

examples/xml/xml.pro | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

 disable htmlinfo example which contains non-free files

doc/global/template/scripts/main.js | 5 0 + 5 - 0 !
1 file changed, 5 deletions(-)

 remove non-used privacy-breach code
 This code makes Lintian unhappy. But we are really not using it, it only
 gets inserted when building the online doc.
 Anyways the best way to calm down Lintian is to simply remove it.

src/plugins/sqldrivers/configure.json | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 build ibase sql plugin against firebird

src/corelib/configure.json | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 catch linker warnings in some config tests
 Without this, qmake wrongly thinks that the tests succeed, for example:
 .
 ./config.tests/unix/futimens/futimens.cpp:44: warning: futimens is not implemented and will always fail
 test config.corelib.tests.futimens succeeded

src/corelib/global/qprocessordetection.h | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 support armv4 architecture, needed for armel builds

qmake/library/ioutils.cpp | 2 1 + 1 - 0 !
src/corelib/io/qfilesystemengine_unix.cpp | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 guard utime_now/utime_omit usages

mkspecs/features/qt_docs.prf | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 pass default include directories to qdoc

src/corelib/io/qfilesystemengine_unix.cpp | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 avoid unconditional path_max usage
 Use a "safe" size in case PATH_MAX is not defined; in the end, this should not
 be used, as a allocating realpath() will be used instead.

src/corelib/io/qstorageinfo_unix.cpp | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 limit linux-only code with q_os_linux
 The QStorageInfo/QStorageIterator implementation used for Linux is used also
 on Hurd, as it uses an interface provided by GNU libc.
 QStorageIterator::device() tries to use PATH_MAX (unavailable on the Hurd)
 to lookup a /dev/block/ path, which exists on Linux only; hence, perform that
 check within a Q_OS_LINUX block.

src/plugins/sqldrivers/configure.json | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 call pkgconfig in order to be able to cross build qtbase with mysql.
 Qt's build system calls mysql_config... which won't work in a cross build
 environment like Debian's, as it will throw an exec format error.
 .
 In order to solve this call pkgconfig and use mysqlclient.pc.