src/corelib/mimetypes/qmimedatabase.cpp | 11 7 + 4 - 0 !
src/corelib/mimetypes/qmimeglobpattern.cpp | 5 4 + 1 - 0 !
2 files changed, 11 insertions(+), 5 deletions(-)

 adjust qmimedatabase implementation
 When multiple globs match, and the result from magic sniffing is
 unrelated to any of those globs, globs have priority and one of them
 should be picked up.

src/widgets/styles/qfusionstyle.cpp | 8 0 + 8 - 0 !
1 file changed, 8 deletions(-)

 qpushbutton/fusion style: don't ignore qicon::on icon
 The fusion style did ignore the QIcon::On icon because it reset
 State_On to avoid the visual shift of a pressed button.
 But it's not needed to reset this flag - the shift does not happen
 because the fusion style does return 0 as offset for
 PM_ButtonShiftHorizontal/PM_ButtonShiftVertical so no shifting will
 happen.

src/widgets/styles/qstylesheetstyle.cpp | 3 3 + 0 - 0 !
tests/auto/widgets/styles/qstylesheetstyle/tst_qstylesheetstyle.cpp | 18 18 + 0 - 0 !
2 files changed, 21 insertions(+)

 fix recursion crash when calling setstylesheet with qproperty-stylesheet
 When calling setStyleSheet with property qproperty-styleSheet,
 QStyleSheetStyle::polish will call QStyleSheetStyle::setProperties,
 and then QStyleSheetStyle::setProperties goes on to call setProperty.
 Because there is property qproperty-styleSheet, it will update
 stylesheet by calling QStyleSheetStyle::polish.
 This causes the recursive call to crash.

src/plugins/sqldrivers/mysql/qsql_mysql.cpp | 28 13 + 15 - 0 !
1 file changed, 13 insertions(+), 15 deletions(-)

 treat the mysql_field as read-only
 The MariaDB-connector-c version 3.2 and MariaDB server version 10.6
 cooperate to avoid re-transferring the query metadata, so the fact that
 we were modifying it was causing it to improperly decode the DATETIME
 data types into string, as we had asked. We ended up with a 7-byte
 string that was actually the date binary-encoded.

src/network/ssl/qsslcontext_openssl.cpp | 4 2 + 2 - 0 !
src/network/ssl/qssldiffiehellmanparameters_openssl.cpp | 51 0 + 51 - 0 !
src/network/ssl/qsslsocket_openssl_symbols.cpp | 22 16 + 6 - 0 !
src/network/ssl/qsslsocket_openssl_symbols_p.h | 16 11 + 5 - 0 !
4 files changed, 29 insertions(+), 64 deletions(-)

 upstream fixes to support openssl 3.0

src/corelib/io/qprocess_unix.cpp | 28 15 + 13 - 0 !
tests/auto/widgets/kernel/qapplication/tst_qapplication.cpp | 4 2 + 2 - 0 !
2 files changed, 17 insertions(+), 15 deletions(-)

 qprocess: ensure we don't accidentally execute something from cwd
 Unless "." (or the empty string) is in $PATH, we're not supposed to find
 executables in the current directory. This is how the Unix shells behave
 and we match their behavior. It's also the behavior Qt had prior to 5.9
 (commit 28666d167aa8e602c0bea25ebc4d51b55005db13). On Windows, searching
 the current directory is the norm, so we keep that behavior.
 .
 This commit does not add an explicit check for an empty return from
 QStandardPaths::findExecutable(). Instead, we allow that empty string to
 go all the way to execve(2), which will fail with ENOENT. We could catch
 it early, before fork(2), but why add code for the error case?
 .
 See https://kde.org/info/security/advisory-20220131-1.txt

src/network/ssl/qsslcontext_openssl.cpp | 2 1 + 1 - 0 !
src/network/ssl/qsslsocket_openssl.cpp | 4 2 + 2 - 0 !
src/network/ssl/qsslsocket_openssl_p.h | 8 7 + 1 - 0 !
src/network/ssl/qsslsocket_openssl_symbols.cpp | 2 1 + 1 - 0 !
src/network/ssl/qsslsocket_openssl_symbols_p.h | 2 1 + 1 - 0 !
5 files changed, 12 insertions(+), 6 deletions(-)

 update function argument of ssl_ctx_set_options
 openssl3 uses uint64_t for the options argument in SSL_CTX_set_options,
 older ones used long.
 sizeof(long) is not the same on any platform as sizeof(uint64_t)

src/widgets/widgets/qmenu.cpp | 25 25 + 0 - 0 !
src/widgets/widgets/qmenu_p.h | 1 1 + 0 - 0 !
2 files changed, 26 insertions(+)

 widgets: settransientparent() when a qmenu is a window
 On some platforms, such as X11 and Wayland with some compositors,
 QMenu could be a popup window, which should be set a transient parent
 to get relative position, which is requested by Wayland.
 .
 Added transientParentWindow() for QMenuPrivate like QDialogPrivate.

src/gui/kernel/qguiapplication.cpp | 9 1 + 8 - 0 !
1 file changed, 1 insertion(+), 8 deletions(-)

 use wayland platform plugin on gnome wayland sessions by default
 Qt wayland platform plugin has improved quite a lot and it is now pretty
 much usable on Gnome. It also improves user experience a lot on HiDPI
 displays.

src/plugins/platforms/xcb/qxcbwindow.cpp | 115 12 + 103 - 0 !
src/plugins/platforms/xcb/qxcbwindow.h | 16 0 + 16 - 0 !
2 files changed, 12 insertions(+), 119 deletions(-)

 revert "xcb: implement missing bits from icccm 4.1.4 wm_state handling"
 This reverts commit e946e6895a8517a887ac246905e0769edd766fcc.
 .
 It clears the duplicate show() and hide() too aggressive in
 handleDeferredTasks() and can cause visible states out of sync between
 qt and system(x11) when user switches visible on and off very
 frequently.
 .
 This change also reverts 28138aa80a14279a72af2818f5bbbaa670283964.

src/plugins/platforms/xcb/qxcbwindow.cpp | 14 14 + 0 - 0 !
src/plugins/platforms/xcb/qxcbwindow.h | 9 9 + 0 - 0 !
2 files changed, 23 insertions(+)

 xcb: recreate xcb window under some conditions
 Some netWmState needs to be set during unmap/hide(), which is too

src/platformsupport/input/xkbcommon/qxkbcommon.cpp | 12 6 + 6 - 0 !
src/platformsupport/input/xkbcommon/qxkbcommon_p.h | 4 2 + 2 - 0 !
2 files changed, 8 insertions(+), 8 deletions(-)

 fix alt+` shortcut on non-us layouts
 Make it possible for non-letter-keys with Latin 1 symbols (`, !, @ etc.)
 to participate in shortcuts also, when the keys generate national
 symbols on non-Latin layout.
 .
 For example, in Russian layout, "`" key generates cyrillic "" letter of
 national alphabet, so shortcuts with the key should still work
 regardless of the actual layout.

src/gui/image/qimagereader.cpp | 6 3 + 3 - 0 !
src/gui/image/qimagewriter.cpp | 6 3 + 3 - 0 !
2 files changed, 6 insertions(+), 6 deletions(-)

 fix deletion order in qimagereader/writer destructors
 The device would be deleted before the image format handler, and hence
 be a dangling pointer that could easily cause a crash if the handler
 or codec would access it on destruction, e.g. for cleanup.

src/plugins/platforms/xcb/qxcbwindow.cpp | 10 5 + 5 - 0 !
1 file changed, 5 insertions(+), 5 deletions(-)

 set geometry property in qxcbwindow after checking minimum size
 QXcbWindow::create() bound the window's size to windowMinimumSize(),
 after its size had been inherited from parent().
 QPlatformWindow::setGeometry() was called before that sanity check.
 .
 When a fullscreen window is re-mapped from a deactivated screen to the
 remaining screen, the call to QPlatformWindow::setGeometry() assigns
 an invalid QRect to QPlatformWindowPrivate::rect
 The negative int values x2 and/or y2 cause
 QXcbBackingStoreImage::flushPixmap to address unmapped memory and
 crash.
 .
 This patch moves the call to QPlatformWindow::setGeometry() from
 before to after bounding to a minimum value. That assures a valid
 rectangle to be assigned in all cases.

src/plugins/sqldrivers/odbc/qsql_odbc.cpp | 206 118 + 88 - 0 !
1 file changed, 118 insertions(+), 88 deletions(-)

 fix denial-of-service in qt sql odbc driver plugin

src/gui/kernel/qshapedpixmapdndwindow.cpp | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 do not set qt::tooltip flag for qshapedpixmapwindow
 This hint is not really needed in the first place and only causes
 problems in some environments.
 .
 For example in KDE, the compositor animates changes in position and size
 for all ToolTip windows. However, this is not wanted here because we use
 this window as a thumbnail for a drag-and-drop operation.
 Before this patch the dragged element would lag significantly behind the
 cursor. Now it works as expected, i.e. the dragged element follows the
 cursor immediately.

src/gui/painting/qfixed_p.h | 9 9 + 0 - 0 !
src/gui/text/qtextlayout.cpp | 9 6 + 3 - 0 !
2 files changed, 15 insertions(+), 3 deletions(-)

 fix buffer overflow in qt svg
 Adds qAddOverflow and qMulOverflow definitions to QFixed.

src/network/access/qhsts.cpp | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 hsts: match header names case insensitively
 Header field names are always considered to be case-insensitive.

src/network/kernel/qdnslookup_unix.cpp | 31 25 + 6 - 0 !
1 file changed, 25 insertions(+), 6 deletions(-)

 qdnslookup/unix: make sure we don't overflow the buffer
 The DNS Records are variable length and encode their size in 16 bits
 before the Record Data (RDATA). Ensure that both the RDATA and the
 Record header fields before it fall inside the buffer we have.
 .
 Additionally reject any replies containing more than one query records.

src/plugins/sqldrivers/odbc/qsql_odbc.cpp | 13 12 + 1 - 0 !
1 file changed, 12 insertions(+), 1 deletion(-)

 sql/odbc: add another check to detect unicode availability in driver
 Since ODBC does not have a direct way finding out if unicode is
 supported by the underlying driver the ODBC plugin does some checks. As
 a last resort a sql statement is executed which returns a string. But
 even this may fail because the select statement has no FROM part which
 is rejected by at least Oracle does not allow. Therefore add another
 query which is correct for Oracle & DB2 as a workaround. The question
 why the first three statements to check for unicode availability fail
 is still open but can't be checked since I've no access to an oracle
 database.

src/plugins/sqldrivers/odbc/qsql_odbc.cpp | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 qsql/odbc: fix regression (trailing nul)
 When we fixed the callers of toSQLTCHAR() to use the result's size()

src/network/ssl/qsslsocket.cpp | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 ssl: copy the on-demand cert loading bool from default config
 Otherwise individual sockets will still load system certificates when
 a chain doesn't match against the configured CA certificates.
 That's not intended behavior, since specifically setting the CA
 certificates means you don't want the system certificates to be used.
 .
 This is potentially a breaking change because now, if you ever add a
 CA to the default config, it will disable loading system certificates
 on demand for all sockets. And the only way to re-enable it is to
 create a null-QSslConfiguration and set it as the new default.

src/corelib/serialization/qxmlstream.cpp | 39 25 + 14 - 0 !
src/corelib/serialization/qxmlstream.g | 25 22 + 3 - 0 !
src/corelib/serialization/qxmlstream_p.h | 25 22 + 3 - 0 !
tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp | 40 40 + 0 - 0 !
4 files changed, 109 insertions(+), 20 deletions(-)

 qxmlstreamreader: make fastscanname() indicate parsing status to callers
 This fixes a crash while parsing an XML file with garbage data, the file
 starts with '<' then garbage data:
 - The loop in the parse() keeps iterating until it hits "case 262:",
   which calls fastScanName()
 - fastScanName() iterates over the text buffer scanning for the
   attribute name (e.g. "xml:lang"), until it finds ':'
 - Consider a Value val, fastScanName() is called on it, it would set
   val.prefix to a number > val.len, then it would hit the 4096 condition
   and return (returned 0, now it returns the equivalent of
   std::null_opt), which means that val.len doesn't get modified, making
   it smaller than val.prefix
 - The code would try constructing an XmlStringRef with negative length,
   which would hit an assert in one of QStringView's constructors
 .
 Add an assert to the XmlStringRef constructor.
 .
 Add unittest based on the file from the bug report.
 .
 Credit to OSS-Fuzz.

src/corelib/serialization/qxmlstream.cpp | 144 136 + 8 - 0 !
src/corelib/serialization/qxmlstream_p.h | 11 11 + 0 - 0 !
tests/auto/corelib/serialization/qxmlstream/tokenError/dtdInBody.xml | 20 20 + 0 - 0 !
tests/auto/corelib/serialization/qxmlstream/tokenError/multipleDtd.xml | 20 20 + 0 - 0 !
tests/auto/corelib/serialization/qxmlstream/tokenError/wellFormed.xml | 15 15 + 0 - 0 !
tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp | 40 40 + 0 - 0 !
6 files changed, 242 insertions(+), 8 deletions(-)

 qxmlstreamreader: raise error on unexpected tokens
 QXmlStreamReader accepted multiple DOCTYPE elements, containing DTD
 fragments in the XML prolog, and in the XML body.
 Well-formed but invalid XML files - with multiple DTD fragments in
 prolog and body, combined with recursive entity expansions - have
 caused infinite loops in QXmlStreamReader.
 .
 This patch implements a token check in QXmlStreamReader.
 A stream is allowed to start with an XML prolog. StartDocument
 and DOCTYPE elements are only allowed in this prolog, which
 may also contain ProcessingInstruction and Comment elements.
 As soon as anything else is seen, the prolog ends.
 After that, the prolog-specific elements are treated as unexpected.
 Furthermore, the prolog can contain at most one DOCTYPE element.
 .
 Update the documentation to reflect the new behavior.
 Add an autotest that checks the new error cases are correctly detected,
 and no error is raised for legitimate input.
 .
 The original OSS-Fuzz files (see bug reports) are not included in this
 patch for file size reasons. They have been tested manually. Each of
 them has more than one DOCTYPE element, causing infinite loops in
 recursive entity expansions. The newly implemented functionality
 detects those invalid DTD fragments. By raising an error, it aborts
 stream reading before an infinite loop occurs.
 .
 Thanks to OSS-Fuzz for finding this.

src/network/access/http2/hpacktable.cpp | 7 5 + 2 - 0 !
1 file changed, 5 insertions(+), 2 deletions(-)

 [patch] hpack: fix incorrect integer overflow check

This code never worked:

For the comparison with max() - 32 to trigger, on 32-bit platforms (or
Qt 5) signed interger overflow would have had to happen in the
addition of the two sizes. The compiler can therefore remove the
overflow check as dead code.

On Qt 6 and 64-bit platforms, the signed integer addition would be
very unlikely to overflow, but the following truncation to uint32
would yield the correct result only in a narrow 32-value window just
below UINT_MAX, if even that.

Fix by using the proper tool, qAddOverflow.

Manual conflict resolutions:
 - qAddOverflow doesn't exist in Qt 5, use private add_overflow
   predecessor API instead

src/gui/util/qktxhandler.cpp | 138 109 + 29 - 0 !
src/gui/util/qktxhandler_p.h | 2 1 + 1 - 0 !
2 files changed, 110 insertions(+), 30 deletions(-)

---

src/platformsupport/linuxaccessibility/atspiadaptor.cpp | 37 26 + 11 - 0 !
1 file changed, 26 insertions(+), 11 deletions(-)

 a11y atspi: add null checks in table iface methods
 Add null checks to cover the cases where QAccessibleTableInterface::cellAt
 returns nullptr (which happens e.g. when called with invalid indices via
 AT-SPI) or where the cell object doesn't implement the
 QAccessibleTableCellInterface, which would previously result in crashes.
 .
 Cherry-picked into 5.15 as it fixes a crash in popular accessibility client
 software. Conflict resolution: remove C++17'isms (`if` with initializer).

src/network/access/qhttp2protocolhandler.cpp | 6 3 + 3 - 0 !
src/network/access/qhttpnetworkconnectionchannel.cpp | 46 44 + 2 - 0 !
src/network/access/qhttpnetworkconnectionchannel_p.h | 6 6 + 0 - 0 !
3 files changed, 53 insertions(+), 5 deletions(-)

 http2: delay any communication until encrypted() can be responded to
 We have the encrypted() signal that lets users do extra checks on the
 established connection. It is emitted as BlockingQueued, so the HTTP
 thread stalls until it is done emitting. Users can potentially call
 abort() on the QNetworkReply at that point, which is passed as a Queued
 call back to the HTTP thread. That means that any currently queued
 signal emission will be processed before the abort() call is processed.
 .
 In the case of HTTP2 it is a little special since it is multiplexed and
 the code is built to start requests as they are available. This means
 that, while the code worked fine for HTTP1, since one connection only
 has one request, it is not working for HTTP2, since we try to send more
 requests in-between the encrypted() signal and the abort() call.
 .
 This patch changes the code to delay any communication until the
 encrypted() signal has been emitted and processed, for HTTP2 only.
 It's done by adding a few booleans, both to know that we have to return
 early and so we can keep track of what events arose and what we need to
 resume once enough time has passed that any abort() call must have been
 processed.

mkspecs/features/qt_functions.prf | 2 2 + 0 - 0 !
mkspecs/gnukfreebsd-g++/qmake.conf | 54 54 + 0 - 0 !
mkspecs/gnukfreebsd-g++/qplatformdefs.h | 84 84 + 0 - 0 !
3 files changed, 140 insertions(+)

 initial gnu/kfreebsd support
 - add a gnukfreebsd-g++ qmake mkspec, mostly copied from the hurd-g++ one
 - properly use LD_LIBRARY_PATH on GNU/* systems

examples/xml/xml.pro | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

 disable htmlinfo example which contains non-free files

doc/global/template/scripts/main.js | 5 0 + 5 - 0 !
1 file changed, 5 deletions(-)

 remove non-used privacy-breach code
 This code makes Lintian unhappy. But we are really not using it, it only
 gets inserted when building the online doc.
 Anyways the best way to calm down Lintian is to simply remove it.

src/plugins/sqldrivers/configure.json | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 build ibase sql plugin against firebird

src/corelib/configure.json | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 catch linker warnings in some config tests
 Without this, qmake wrongly thinks that the tests succeed, for example:
 .
 ./config.tests/unix/futimens/futimens.cpp:44: warning: futimens is not implemented and will always fail
 test config.corelib.tests.futimens succeeded

src/corelib/global/qprocessordetection.h | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 support armv4 architecture, needed for armel builds

qmake/library/ioutils.cpp | 2 1 + 1 - 0 !
src/corelib/io/qfilesystemengine_unix.cpp | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 guard utime_now/utime_omit usages

mkspecs/features/qt_docs.prf | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 pass default include directories to qdoc

src/corelib/io/qfilesystemengine_unix.cpp | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 avoid unconditional path_max usage
 Use a "safe" size in case PATH_MAX is not defined; in the end, this should not
 be used, as a allocating realpath() will be used instead.

src/corelib/io/qstorageinfo_unix.cpp | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 limit linux-only code with q_os_linux
 The QStorageInfo/QStorageIterator implementation used for Linux is used also
 on Hurd, as it uses an interface provided by GNU libc.
 QStorageIterator::device() tries to use PATH_MAX (unavailable on the Hurd)
 to lookup a /dev/block/ path, which exists on Linux only; hence, perform that
 check within a Q_OS_LINUX block.

src/plugins/sqldrivers/configure.json | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 call pkgconfig in order to be able to cross build qtbase with mysql.
 Qt's build system calls mysql_config... which won't work in a cross build
 environment like Debian's, as it will throw an exec format error.
 .
 In order to solve this call pkgconfig and use mysqlclient.pc.

src/gui/configure.json | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 properly cast types for libglvnd 1.3.4

src/concurrent/qtconcurrentthreadengine.cpp | 33 33 + 0 - 0 !
src/concurrent/qtconcurrentthreadengine.h | 23 23 + 0 - 0 !
2 files changed, 56 insertions(+)

 revert "remove the dead code for blocking methods from qtconcurrent"
 It's a binary incompatible change.

src/platformsupport/linuxaccessibility/bridge.cpp | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 fix accessibility on xcb when running as root
 Accessibility actually works when running applications as root, but we
 would never properly connect, since the enabledChanged signal would be
 emitted from the constructor in this case. So after connecting the
 signal, check the value by hand to make sure not to miss the
 notification.
 .
 Only applications running as root would be affected, because all other
 applications would go through the asynchronous pattern of getting the
 bus address from dbus instead.