From 6ebef2eb9a6a3630f9142fb040c3f87ba8eeac8e Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Fri, 1 May 2020 10:35:02 +0200
Subject: [PATCH 1/5] Fix 32bit integer overflow in ICC parsing

Change-Id: I98c413374374a6143733860aa9bab1a957cd3b2d
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Marc Mutz <marc.mutz@kdab.com>
---
 src/gui/painting/qicc.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/gui/painting/qicc.cpp b/src/gui/painting/qicc.cpp
index 2b5cd58fb18..b7c8e8f824d 100644
--- a/src/gui/painting/qicc.cpp
+++ b/src/gui/painting/qicc.cpp
@@ -225,7 +225,7 @@ static bool isValidIccProfile(const ICCProfileHeader &header)
     }
 
     // Don't overflow 32bit integers:
-    if (header.tagCount >= INT32_MAX / sizeof(TagTableEntry)) {
+    if (header.tagCount >= (INT32_MAX - sizeof(ICCProfileHeader)) / sizeof(TagTableEntry)) {
         qCWarning(lcIcc, "Failed tag count sanity");
         return false;
     }
@@ -629,6 +629,7 @@ bool fromIccProfile(const QByteArray &data, QColorSpace *colorSpace)
     // Read tag index
     const TagTableEntry *tagTable = (const TagTableEntry *)(data.constData() + sizeof(ICCProfileHeader));
     const qsizetype offsetToData = sizeof(ICCProfileHeader) + header->tagCount * sizeof(TagTableEntry);
+    Q_ASSERT(offsetToData > 0);
     if (offsetToData > data.size()) {
         qCWarning(lcIcc) << "fromIccProfile: failed index size sanity";
         return false;

From 66908badaca7bd258c00103bc388f0ce3bcf7322 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= <marten.nordheim@qt.io>
Date: Tue, 5 May 2020 10:07:29 +0200
Subject: [PATCH 2/5] Add more deprecation notices to QtNetwork release notes

And move the ones that was already there under the QtNetwork point.

Change-Id: I4f9641f78c624b1846699292e053ee148178df4a
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
---
 dist/changes-5.15.0 | 26 ++++++++++++--------------
 1 file changed, 12 insertions(+), 14 deletions(-)

diff --git a/dist/changes-5.15.0 b/dist/changes-5.15.0
index f8e23303115..c42ff4b84de 100644
--- a/dist/changes-5.15.0
+++ b/dist/changes-5.15.0
@@ -46,23 +46,21 @@ information about a particular change.
  - QtNetwork:
    * QNetworkConfigurationManager, QNetworkConfiguration and QNetworkSession
      are deprecated, to be removed in Qt 6.
+   * QNetworkAccessManager::activeConfiguration, configuration and
+     setConfiguration are deprecated, to be removed in Qt 6.
+   * QNetworkAccessManager::networkAccessible, setNetworkAccessible and
+     the NetworkAccessibility enum are deprecated, to be removed in Qt 6.
+   * QLocalSocket::error() (the signal) is deprecated; superseded by
+     errorOccurred()
+   * QAbstractSocket::error() (the signal) is deprecated; superseded by
+     errorOccurred()
+   * QNetworkReply::error() (the signal) is deprecated; superseded by
+     errorOccurred()
+   * [QTBUG-80369] QSslSocket::sslErrors() (the getter) was deprecated and
+     superseded by sslHandshakeErrors()
 
- - [REVERTED] [QTBUG-80369] QAbstractSocket::error() (the getter) is
-   deprecated; superseded by socketError().
- - [REVERTED] [QTBUG-80369] QLocalSocket::error() (the getter) is
-   deprecated; superseded by socketError().
- - [QTBUG-80369] QSslSocket::sslErrors() (the getter) was deprecated and
-   superseded by sslHandshakeErrors()
- - [REVERTED] [QTBUG-80369] QNetworkReply::error() (the getter) was
-   deprecated; superseded by networkError().
  - [QTBUG-81630][QTBUG-80312] QLinkedList is deprecated and will be moved
    to Qt5Compat in Qt 6. It is recommended to use std::list instead.
- - QLocalSocket::error() (the signal) is deprecated; superseded by
-   errorOccurred()
- - QAbstractSocket::error() (the signal) is deprecated; superseded by
-   errorOccurred()
- - QNetworkReply::error() (the signal) is deprecated; superseded by
-   errorOccurred()
 
 See also the various sections below, which include many more deprecations.
 

From 798492ccee75a841dfec0e669a409515f3462350 Mon Sep 17 00:00:00 2001
From: Thiago Macieira <thiago.macieira@intel.com>
Date: Tue, 5 May 2020 11:59:52 -0700
Subject: [PATCH 3/5] QCborValue: catch overflow in QByteArray when decoding
 chunked strings

We checked against integer overflow, but not against overflowing the
QByteArray size limit. That caused a std::bad_alloc to be thrown, which
is bad when decoding unknown data. QCborStreamReader wasn't affected,
since it doesn't merge chunks.

Change-Id: I99ab0f318b1c43b89888fffd160c36f495fada87
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
---
 src/corelib/serialization/qcborvalue.cpp      |  2 +-
 .../serialization/cborlargedatavalidation.cpp | 20 +++++++++++++++----
 .../qcborvalue/tst_qcborvalue.cpp             | 15 +++++++++++++-
 3 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/src/corelib/serialization/qcborvalue.cpp b/src/corelib/serialization/qcborvalue.cpp
index 3bca15d5625..89a928d3480 100644
--- a/src/corelib/serialization/qcborvalue.cpp
+++ b/src/corelib/serialization/qcborvalue.cpp
@@ -1636,7 +1636,7 @@ void QCborContainerPrivate::decodeStringFromCbor(QCborStreamReader &reader)
         if (len == rawlen) {
             auto oldSize = data.size();
             auto newSize = oldSize;
-            if (!add_overflow(newSize, len, &newSize)) {
+            if (!add_overflow(newSize, len, &newSize) && newSize < MaxByteArraySize) {
                 if (newSize != oldSize)
                     data.resize(newSize);
 
diff --git a/tests/auto/corelib/serialization/cborlargedatavalidation.cpp b/tests/auto/corelib/serialization/cborlargedatavalidation.cpp
index 9abfe0f575c..f3b68939579 100644
--- a/tests/auto/corelib/serialization/cborlargedatavalidation.cpp
+++ b/tests/auto/corelib/serialization/cborlargedatavalidation.cpp
@@ -81,19 +81,31 @@ qint64 LargeIODevice::readData(char *data, qint64 maxlen)
 
 void addValidationLargeData(qsizetype minInvalid, qsizetype maxInvalid)
 {
-    char toolong[2 + sizeof(qsizetype)] = { char(0x81) };
+    char toolong[1 + sizeof(qsizetype)];
     for (qsizetype v = maxInvalid; v >= minInvalid; --v) {
         // 0x5a for 32-bit, 0x5b for 64-bit
-        toolong[1] = sizeof(v) > 4 ? 0x5b : 0x5a;
-        qToBigEndian(v, toolong + 2);
+        toolong[0] = sizeof(v) > 4 ? 0x5b : 0x5a;
+        qToBigEndian(v, toolong + 1);
 
         QTest::addRow("bytearray-too-big-for-qbytearray-%llx", v)
                 << QByteArray(toolong, sizeof(toolong)) << 0 << CborErrorDataTooLarge;
-        toolong[1] |= 0x20;
+        QTest::addRow("bytearray-chunked-too-big-for-qbytearray-%llx", v)
+                << ('\x5f' + QByteArray(toolong, sizeof(toolong)) + '\xff')
+                << 0 << CborErrorDataTooLarge;
+        QTest::addRow("bytearray-2chunked-too-big-for-qbytearray-%llx", v)
+                << ("\x5f\x40" + QByteArray(toolong, sizeof(toolong)) + '\xff')
+                << 0 << CborErrorDataTooLarge;
+        toolong[0] |= 0x20;
 
         // QCborStreamReader::readString copies to a QByteArray first
         QTest::addRow("string-too-big-for-qbytearray-%llx", v)
                 << QByteArray(toolong, sizeof(toolong)) << 0 << CborErrorDataTooLarge;
+        QTest::addRow("string-chunked-too-big-for-qbytearray-%llx", v)
+                << ('\x7f' + QByteArray(toolong, sizeof(toolong)) + '\xff')
+                << 0 << CborErrorDataTooLarge;
+        QTest::addRow("string-2chunked-too-big-for-qbytearray-%llx", v)
+                << ("\x7f\x60" + QByteArray(toolong, sizeof(toolong)) + '\xff')
+                << 0 << CborErrorDataTooLarge;
     }
 }
 
diff --git a/tests/auto/corelib/serialization/qcborvalue/tst_qcborvalue.cpp b/tests/auto/corelib/serialization/qcborvalue/tst_qcborvalue.cpp
index 9c1341e252d..1379cc348da 100644
--- a/tests/auto/corelib/serialization/qcborvalue/tst_qcborvalue.cpp
+++ b/tests/auto/corelib/serialization/qcborvalue/tst_qcborvalue.cpp
@@ -1926,11 +1926,24 @@ void tst_QCborValue::validation_data()
     // Add QCborStreamReader-specific limitations due to use of QByteArray and
     // QString, which are allocated by QArrayData::allocate().
     const qsizetype MaxInvalid = std::numeric_limits<QByteArray::size_type>::max();
-    const qsizetype MinInvalid = MaxByteArraySize + 1;
+    const qsizetype MinInvalid = MaxByteArraySize + 1 - sizeof(QByteArray::size_type);
     addValidationColumns();
     addValidationData(MinInvalid);
     addValidationLargeData(MinInvalid, MaxInvalid);
 
+    // Chunked strings whose total overflows the limit, but each individual
+    // chunk doesn't. 0x5a for 32-bit, 0x5b for 64-bit.
+    char toolong[1 + sizeof(qsizetype)];
+    toolong[0] = sizeof(MinInvalid) > 4 ? 0x5b : 0x5a;
+    qToBigEndian(MinInvalid - 1, toolong + 1);
+    QTest::addRow("bytearray-2chunked+1-too-big-for-qbytearray-%llx", MinInvalid)
+            << ("\x5f\x41z" + QByteArray(toolong, sizeof(toolong)) + '\xff')
+            << 0 << CborErrorDataTooLarge;
+    toolong[0] |= 0x20;
+    QTest::addRow("string-2chunked+1-too-big-for-qbytearray-%llx", MinInvalid)
+            << ("\x7f\x61z" + QByteArray(toolong, sizeof(toolong)) + '\xff')
+            << 0 << CborErrorDataTooLarge;
+
     // These tests say we have arrays and maps with very large item counts.
     // They are meant to ensure we don't pre-allocate a lot of memory
     // unnecessarily and possibly crash the application. The actual number of

From a8b373d678f44a9d7006a412cabc75e7586b2c43 Mon Sep 17 00:00:00 2001
From: Fredrik Orderud <fredrik.orderud@ge.com>
Date: Tue, 5 May 2020 13:59:27 +0200
Subject: [PATCH 4/5] qstandardpaths_win.cpp: Fix GetCurrentProcessToken() for
 Win7

The GetCurrentProcessToken() was made an inline function
for Windows 8. Expand it to ensure builds work independent
of WINVER and disable low integrity support for Windows 7.

Fixes: QTBUG-83941
Task-number: QTBUG-83453
Change-Id: Ic989f16621cd80cbc70c6b62779afab8a12714df
Reviewed-by: Fredrik Orderud <forderud@gmail.com>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
---
 src/corelib/io/qstandardpaths_win.cpp | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/corelib/io/qstandardpaths_win.cpp b/src/corelib/io/qstandardpaths_win.cpp
index 5055f4020ca..cbe4ccd0b23 100644
--- a/src/corelib/io/qstandardpaths_win.cpp
+++ b/src/corelib/io/qstandardpaths_win.cpp
@@ -47,6 +47,7 @@
 #include <qcoreapplication.h>
 #endif
 
+#include <qoperatingsystemversion.h>
 #include <qt_windows.h>
 #include <shlobj.h>
 #include <intshcut.h>
@@ -99,7 +100,11 @@ static bool isProcessLowIntegrity() {
     // Disable function until Qt CI is updated
     return false;
 #else
-    HANDLE process_token = GetCurrentProcessToken(); // non-leaking pseudo-handle
+    if (QOperatingSystemVersion::current() < QOperatingSystemVersion::Windows8)
+        return false;
+    // non-leaking pseudo-handle. Expanded inline function GetCurrentProcessToken()
+    // (was made an inline function in Windows 8).
+    const auto process_token = HANDLE(quintptr(-4));
 
     QVarLengthArray<char,256> token_info_buf(256);
     auto* token_info = reinterpret_cast<TOKEN_MANDATORY_LABEL*>(token_info_buf.data());

From ba3b53cb501a77144aa6259e48a8e0edc3d1481d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tor=20Arne=20Vestb=C3=B8?= <tor.arne.vestbo@qt.io>
Date: Mon, 11 May 2020 10:15:08 +0200
Subject: [PATCH 5/5] Fix scanned resources in static builds

Fixes: QTBUG-81621
Change-Id: Ica23e99054c7b2498bdb1e256c256c8b430938b4
Reviewed-by: Oliver Wolff <oliver.wolff@qt.io>
---
 mkspecs/features/qt.prf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mkspecs/features/qt.prf b/mkspecs/features/qt.prf
index 6fe0059bf73..99b7fe6562c 100644
--- a/mkspecs/features/qt.prf
+++ b/mkspecs/features/qt.prf
@@ -293,7 +293,7 @@ contains(all_qt_module_deps, qml): \
 
     !isEmpty(SCANNERRESOURCES) {
         IMPORTPATHS += -qrcFiles
-        for (RESOURCE, SCANNERRESOURCES)
+        for (RESOURCE, SCANNERRESOURCES): \
             IMPORTPATHS += $$absolute_path($$system_quote($$RESOURCE), $$_PRO_FILE_PWD_)
     }