Not yet Submitted By: Ken Moffat Date: 2021-06-19 Initial Package Version: 5.15.2 Upstream Status: Applied Origin: Upstream, found at debian Description: Fixes CVE-2021-3401 (out of bounds read) by clamoing parsed doubles to float representable values. Upstream commits: https://code.qt.io/cgit/qt/qtsvg.git/commit/?id=aceea78cc05ac8ff https://code.qt.io/cgit/qt/qtsvg.git/commit/?id=bfd6ee0d8cf34b63 diff -Naur a/qtsvg/src/svg/qsvghandler.cpp b/qtsvg/src/svg/qsvghandler.cpp --- a/qtsvg/src/svg/qsvghandler.cpp 2020-10-27 08:02:11.000000000 +0000 +++ b/qtsvg/src/svg/qsvghandler.cpp 2021-06-18 23:16:47.263564883 +0100 @@ -65,6 +65,7 @@ #include "private/qmath_p.h" #include "float.h" +#include QT_BEGIN_NAMESPACE @@ -672,6 +673,9 @@ val = -val; } else { val = QByteArray::fromRawData(temp, pos).toDouble(); + // Do not tolerate values too wild to be represented normally by floats + if (qFpClassify(float(val)) != FP_NORMAL) + val = 0; } return val; @@ -3043,6 +3047,8 @@ ncy = toDouble(cy); if (!r.isEmpty()) nr = toDouble(r); + if (nr < 0.5) + nr = 0.5; qreal nfx = ncx; if (!fx.isEmpty())