From 8b67e936942f5f95b7588df4b7b3bbde58aa0685 Mon Sep 17 00:00:00 2001
From: Magdalena Stojek <magdalena.stojek@qt.io>
Date: Tue, 6 May 2025 16:11:22 +0200
Subject: [PATCH] Mark QTimeZone as security-critical:

- qtimezonelocale.cpp: matchOffsetFormat() and findLongNamePrefix()
  dereference potentially untrusted string.
- qtimezoneprivate.cpp: findUtcOffsetPrefix() accesses untrusted string
  data.
- qtimezoneprivate_tz.cpp: loadTzTimeZones() parses POSIX
  zone-descriptor format.

Fixes: QTBUG-135197
Change-Id: Ib5ec53ad8210bd872b06be8b1f71459f8b48b2ab
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
---
 src/corelib/time/qtimezonelocale.cpp     | 1 +
 src/corelib/time/qtimezoneprivate.cpp    | 2 +-
 src/corelib/time/qtimezoneprivate_tz.cpp | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/corelib/time/qtimezonelocale.cpp b/src/corelib/time/qtimezonelocale.cpp
index a6f91ce0e57..7b541d0c63a 100644
--- a/src/corelib/time/qtimezonelocale.cpp
+++ b/src/corelib/time/qtimezonelocale.cpp
@@ -1,5 +1,6 @@
 // Copyright (C) 2024 The Qt Company Ltd.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:critical reason:data-parser
 
 #include <private/qtimezonelocale_p.h>
 #include <private/qtimezoneprivate_p.h>
diff --git a/src/corelib/time/qtimezoneprivate.cpp b/src/corelib/time/qtimezoneprivate.cpp
index 4ef990bde7c..ffafb3a95f5 100644
--- a/src/corelib/time/qtimezoneprivate.cpp
+++ b/src/corelib/time/qtimezoneprivate.cpp
@@ -1,7 +1,7 @@
 // Copyright (C) 2022 The Qt Company Ltd.
 // Copyright (C) 2013 John Layt <jlayt@kde.org>
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
-
+// Qt-Security score:critical reason:data-parser
 
 #include "qtimezone.h"
 #include "qtimezoneprivate_p.h"
diff --git a/src/corelib/time/qtimezoneprivate_tz.cpp b/src/corelib/time/qtimezoneprivate_tz.cpp
index 42246c3d084..5343b2cfcda 100644
--- a/src/corelib/time/qtimezoneprivate_tz.cpp
+++ b/src/corelib/time/qtimezoneprivate_tz.cpp
@@ -2,6 +2,7 @@
 // Copyright (C) 2019 Crimson AS <info@crimson.no>
 // Copyright (C) 2013 John Layt <jlayt@kde.org>
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:critical reason:data-parser
 
 #include "qtimezone.h"
 #include "qtimezoneprivate_p.h"