From 1c8fdba867126889a85cf81292ef6399fd12af36d824d15ac7308d611cd5deb0 Mon Sep 17 00:00:00 2001
From: Christophe Marin <christophe+obs@krop.fr>
Date: Wed, 8 Feb 2023 18:04:00 +0000
Subject: [PATCH] Accepting request 1063888 from KDE:Qt:6.4

- Fix a possible DOS in the Qt ODBC driver plugin (CVE-2023-24607):
  * CVE-2023-24607-qtbase-6.4.diff

OBS-URL: https://build.opensuse.org/request/show/1063888
OBS-URL: https://build.opensuse.org/package/show/KDE:Qt6/qt6-base?expand=0&rev=42
---
 CVE-2023-24607-qtbase-6.4.diff | 339 +++++++++++++++++++++++++++++++++
 qt6-base.changes               |   6 +
 qt6-base.spec                  |   1 +
 3 files changed, 346 insertions(+)
 create mode 100644 CVE-2023-24607-qtbase-6.4.diff

diff --git a/CVE-2023-24607-qtbase-6.4.diff b/CVE-2023-24607-qtbase-6.4.diff
new file mode 100644
index 0000000..5c3efa7
--- /dev/null
+++ b/CVE-2023-24607-qtbase-6.4.diff
@@ -0,0 +1,339 @@
+CVE-2023-24607 cumulative fixes (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24607)
+
+Origin: https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
+
+
+--- a/src/plugins/sqldrivers/odbc/qsql_odbc.cpp
++++ b/src/plugins/sqldrivers/odbc/qsql_odbc.cpp
+@@ -58,23 +58,39 @@ inline static QString fromSQLTCHAR(const QVarLengthArray<SQLTCHAR>& input, qsize
+     return result;
+ }
+ 
++template <size_t SizeOfChar = sizeof(SQLTCHAR)>
++void toSQLTCHARImpl(QVarLengthArray<SQLTCHAR> &result, const QString &input); // primary template undefined
++
++template <typename Container>
++void do_append(QVarLengthArray<SQLTCHAR> &result, const Container &c)
++{
++    result.append(reinterpret_cast<const SQLTCHAR *>(c.data()), c.size());
++}
++
++template <>
++void toSQLTCHARImpl<1>(QVarLengthArray<SQLTCHAR> &result, const QString &input)
++{
++    const auto u8 = input.toUtf8();
++    do_append(result, u8);
++}
++
++template <>
++void toSQLTCHARImpl<2>(QVarLengthArray<SQLTCHAR> &result, const QString &input)
++{
++    do_append(result, input);
++}
++
++template <>
++void toSQLTCHARImpl<4>(QVarLengthArray<SQLTCHAR> &result, const QString &input)
++{
++    const auto u32 = input.toUcs4();
++    do_append(result, u32);
++}
++
+ inline static QVarLengthArray<SQLTCHAR> toSQLTCHAR(const QString &input)
+ {
+     QVarLengthArray<SQLTCHAR> result;
+-    result.resize(input.size());
+-    switch(sizeof(SQLTCHAR)) {
+-        case 1:
+-            memcpy(result.data(), input.toUtf8().data(), input.size());
+-            break;
+-        case 2:
+-            memcpy(result.data(), input.unicode(), input.size() * 2);
+-            break;
+-        case 4:
+-            memcpy(result.data(), input.toUcs4().data(), input.size() * 4);
+-            break;
+-        default:
+-            qCritical("sizeof(SQLTCHAR) is %d. Don't know how to handle this.", int(sizeof(SQLTCHAR)));
+-    }
++    toSQLTCHARImpl(result, input);
+     result.append(0); // make sure it's null terminated, doesn't matter if it already is, it does if it isn't.
+     return result;
+ }
+
+--- a/src/plugins/sqldrivers/odbc/qsql_odbc.cpp
++++ b/src/plugins/sqldrivers/odbc/qsql_odbc.cpp
+@@ -1740,10 +1740,11 @@ bool QODBCResult::exec()
+             case QMetaType::QString:
+                 if (d->unicode) {
+                     if (bindValueType(i) & QSql::Out) {
+-                        const QByteArray &first = tmpStorage.at(i);
+-                        QVarLengthArray<SQLTCHAR> array;
+-                        array.append((const SQLTCHAR *)first.constData(), first.size());
+-                        values[i] = fromSQLTCHAR(array, first.size()/sizeof(SQLTCHAR));
++                        const QByteArray &bytes = tmpStorage.at(i);
++                        const auto strSize = bytes.size() / sizeof(SQLTCHAR);
++                        QVarLengthArray<SQLTCHAR> string(strSize);
++                        memcpy(string.data(), bytes.data(), strSize * sizeof(SQLTCHAR));
++                        values[i] = fromSQLTCHAR(string);
+                     }
+                     break;
+                 }
+
+
+--- a/src/plugins/sqldrivers/odbc/qsql_odbc.cpp
++++ b/src/plugins/sqldrivers/odbc/qsql_odbc.cpp
+@@ -745,6 +745,14 @@ QChar QODBCDriverPrivate::quoteChar()
+     return quote;
+ }
+
++static SQLRETURN qt_string_SQLSetConnectAttr(SQLHDBC handle, SQLINTEGER attr, const QString &val)
++{
++    auto encoded = toSQLTCHAR(val);
++    return SQLSetConnectAttr(handle, attr,
++                             encoded.data(),
++                             SQLINTEGER(encoded.size() * sizeof(SQLTCHAR))); // size in bytes
++}
++
+
+ bool QODBCDriverPrivate::setConnectionOptions(const QString& connOpts)
+ {
+@@ -780,10 +788,7 @@ bool QODBCDriverPrivate::setConnectionOptions(const QString& connOpts)
+             v = val.toUInt();
+             r = SQLSetConnectAttr(hDbc, SQL_ATTR_LOGIN_TIMEOUT, (SQLPOINTER) size_t(v), 0);
+         } else if (opt.toUpper() == "SQL_ATTR_CURRENT_CATALOG"_L1) {
+-            val.utf16(); // 0 terminate
+-            r = SQLSetConnectAttr(hDbc, SQL_ATTR_CURRENT_CATALOG,
+-                                    toSQLTCHAR(val).data(),
+-                                    SQLINTEGER(val.length() * sizeof(SQLTCHAR)));
++            r = qt_string_SQLSetConnectAttr(hDbc, SQL_ATTR_CURRENT_CATALOG, val);
+         } else if (opt.toUpper() == "SQL_ATTR_METADATA_ID"_L1) {
+             if (val.toUpper() == "SQL_TRUE"_L1) {
+                 v = SQL_TRUE;
+@@ -798,10 +803,7 @@ bool QODBCDriverPrivate::setConnectionOptions(const QString& connOpts)
+             v = val.toUInt();
+             r = SQLSetConnectAttr(hDbc, SQL_ATTR_PACKET_SIZE, (SQLPOINTER) size_t(v), 0);
+         } else if (opt.toUpper() == "SQL_ATTR_TRACEFILE"_L1) {
+-            val.utf16(); // 0 terminate
+-            r = SQLSetConnectAttr(hDbc, SQL_ATTR_TRACEFILE,
+-                                    toSQLTCHAR(val).data(),
+-                                    SQLINTEGER(val.length() * sizeof(SQLTCHAR)));
++            r = qt_string_SQLSetConnectAttr(hDbc, SQL_ATTR_TRACEFILE, val);
+         } else if (opt.toUpper() == "SQL_ATTR_TRACE"_L1) {
+             if (val.toUpper() == "SQL_OPT_TRACE_OFF"_L1) {
+                 v = SQL_OPT_TRACE_OFF;
+@@ -1004,9 +1006,12 @@ bool QODBCResult::reset (const QString& query)
+         return false;
+     }
+
+-    r = SQLExecDirect(d->hStmt,
+-                       toSQLTCHAR(query).data(),
+-                       (SQLINTEGER) query.length());
++    {
++        auto encoded = toSQLTCHAR(query);
++        r = SQLExecDirect(d->hStmt,
++                          encoded.data(),
++                          SQLINTEGER(encoded.size()));
++    }
+     if (r != SQL_SUCCESS && r != SQL_SUCCESS_WITH_INFO && r!= SQL_NO_DATA) {
+         setLastError(qMakeError(QCoreApplication::translate("QODBCResult",
+                      "Unable to execute statement"), QSqlError::StatementError, d));
+@@ -1355,9 +1360,12 @@ bool QODBCResult::prepare(const QString& query)
+         return false;
+     }
+
+-    r = SQLPrepare(d->hStmt,
+-                    toSQLTCHAR(query).data(),
+-                    (SQLINTEGER) query.length());
++    {
++        auto encoded = toSQLTCHAR(query);
++        r = SQLPrepare(d->hStmt,
++                       encoded.data(),
++                       SQLINTEGER(encoded.size()));
++    }
+
+     if (r != SQL_SUCCESS) {
+         setLastError(qMakeError(QCoreApplication::translate("QODBCResult",
+@@ -1385,7 +1393,7 @@ bool QODBCResult::exec()
+         SQLCloseCursor(d->hStmt);
+
+     QVariantList &values = boundValues();
+-    QByteArrayList tmpStorage(values.count(), QByteArray()); // holds temporary buffers
++    QByteArrayList tmpStorage(values.count(), QByteArray()); // targets for SQLBindParameter()
+     QVarLengthArray<SQLLEN, 32> indicators(values.count());
+     memset(indicators.data(), 0, indicators.size() * sizeof(SQLLEN));
+
+@@ -1600,36 +1608,36 @@ bool QODBCResult::exec()
+             case QMetaType::QString:
+                 if (d->unicode) {
+                     QByteArray &ba = tmpStorage[i];
+-                    QString str = val.toString();
++                    {
++                        const auto encoded = toSQLTCHAR(val.toString());
++                        ba = QByteArray(reinterpret_cast<const char *>(encoded.data()),
++                                        encoded.size() * sizeof(SQLTCHAR));
++                    }
++
+                     if (*ind != SQL_NULL_DATA)
+-                        *ind = str.length() * sizeof(SQLTCHAR);
+-                    const qsizetype strSize = str.length() * sizeof(SQLTCHAR);
++                        *ind = ba.size();
+
+                     if (bindValueType(i) & QSql::Out) {
+-                        const QVarLengthArray<SQLTCHAR> a(toSQLTCHAR(str));
+-                        ba = QByteArray((const char *)a.constData(), int(a.size() * sizeof(SQLTCHAR)));
+                         r = SQLBindParameter(d->hStmt,
+                                             i + 1,
+                                             qParamType[bindValueType(i) & QSql::InOut],
+                                             SQL_C_TCHAR,
+-                                            strSize > 254 ? SQL_WLONGVARCHAR : SQL_WVARCHAR,
++                                            ba.size() > 254 ? SQL_WLONGVARCHAR : SQL_WVARCHAR,
+                                             0, // god knows... don't change this!
+                                             0,
+-                                            ba.data(),
++                                            const_cast<char *>(ba.constData()), // don't detach
+                                             ba.size(),
+                                             ind);
+                         break;
+                     }
+-                    ba = QByteArray(reinterpret_cast<const char *>(toSQLTCHAR(str).constData()),
+-                                    int(strSize));
+                     r = SQLBindParameter(d->hStmt,
+                                           i + 1,
+                                           qParamType[bindValueType(i) & QSql::InOut],
+                                           SQL_C_TCHAR,
+-                                          strSize > 254 ? SQL_WLONGVARCHAR : SQL_WVARCHAR,
+-                                          strSize,
++                                          ba.size() > 254 ? SQL_WLONGVARCHAR : SQL_WVARCHAR,
++                                          ba.size(),
+                                           0,
+-                                          const_cast<char *>(ba.constData()),
++                                          const_cast<char *>(ba.constData()), // don't detach
+                                           ba.size(),
+                                           ind);
+                     break;
+@@ -1991,14 +1999,16 @@ bool QODBCDriver::open(const QString & db,
+     SQLSMALLINT cb;
+     QVarLengthArray<SQLTCHAR> connOut(1024);
+     memset(connOut.data(), 0, connOut.size() * sizeof(SQLTCHAR));
+-    r = SQLDriverConnect(d->hDbc,
+-                          NULL,
+-                          toSQLTCHAR(connQStr).data(),
+-                          (SQLSMALLINT)connQStr.length(),
+-                          connOut.data(),
+-                          1024,
+-                          &cb,
+-                          /*SQL_DRIVER_NOPROMPT*/0);
++    {
++        auto encoded = toSQLTCHAR(connQStr);
++        r = SQLDriverConnect(d->hDbc,
++                             nullptr,
++                             encoded.data(), SQLSMALLINT(encoded.size()),
++                             connOut.data(),
++                             1024,
++                             &cb,
++                             /*SQL_DRIVER_NOPROMPT*/0);
++    }
+
+     if (r != SQL_SUCCESS && r != SQL_SUCCESS_WITH_INFO) {
+         setLastError(qMakeError(tr("Unable to connect"), QSqlError::ConnectionError, d));
+@@ -2377,17 +2387,15 @@ QStringList QODBCDriver::tables(QSql::TableType type) const
+     if (tableType.isEmpty())
+         return tl;
+
+-    QString joinedTableTypeString = tableType.join(u',');
++    {
++        auto joinedTableTypeString = toSQLTCHAR(tableType.join(u','));
+
+-    r = SQLTables(hStmt,
+-                   NULL,
+-                   0,
+-                   NULL,
+-                   0,
+-                   NULL,
+-                   0,
+-                   toSQLTCHAR(joinedTableTypeString).data(),
+-                   joinedTableTypeString.length() /* characters, not bytes */);
++        r = SQLTables(hStmt,
++                      nullptr, 0,
++                      nullptr, 0,
++                      nullptr, 0,
++                      joinedTableTypeString.data(), joinedTableTypeString.size());
++    }
+
+     if (r != SQL_SUCCESS)
+         qSqlWarning("QODBCDriver::tables Unable to execute table list"_L1, d);
+@@ -2460,28 +2468,30 @@ QSqlIndex QODBCDriver::primaryIndex(const QString& tablename) const
+                         SQL_ATTR_CURSOR_TYPE,
+                         (SQLPOINTER)SQL_CURSOR_FORWARD_ONLY,
+                         SQL_IS_UINTEGER);
+-    r = SQLPrimaryKeys(hStmt,
+-                        catalog.length() == 0 ? NULL : toSQLTCHAR(catalog).data(),
+-                        catalog.length(),
+-                        schema.length() == 0 ? NULL : toSQLTCHAR(schema).data(),
+-                        schema.length(),
+-                        toSQLTCHAR(table).data(),
+-                        table.length() /* in characters, not in bytes */);
++    {
++        auto c = toSQLTCHAR(catalog);
++        auto s = toSQLTCHAR(schema);
++        auto t = toSQLTCHAR(table);
++        r = SQLPrimaryKeys(hStmt,
++                           catalog.isEmpty() ? nullptr : c.data(), c.size(),
++                           schema.isEmpty()  ? nullptr : s.data(), s.size(),
++                           t.data(), t.size());
++    }
+
+     // if the SQLPrimaryKeys() call does not succeed (e.g the driver
+     // does not support it) - try an alternative method to get hold of
+     // the primary index (e.g MS Access and FoxPro)
+     if (r != SQL_SUCCESS) {
+-            r = SQLSpecialColumns(hStmt,
+-                        SQL_BEST_ROWID,
+-                        catalog.length() == 0 ? NULL : toSQLTCHAR(catalog).data(),
+-                        catalog.length(),
+-                        schema.length() == 0 ? NULL : toSQLTCHAR(schema).data(),
+-                        schema.length(),
+-                        toSQLTCHAR(table).data(),
+-                        table.length(),
+-                        SQL_SCOPE_CURROW,
+-                        SQL_NULLABLE);
++        auto c = toSQLTCHAR(catalog);
++        auto s = toSQLTCHAR(schema);
++        auto t = toSQLTCHAR(table);
++        r = SQLSpecialColumns(hStmt,
++                              SQL_BEST_ROWID,
++                              catalog.isEmpty() ? nullptr : c.data(), c.size(),
++                              schema.isEmpty()  ? nullptr : s.data(), s.size(),
++                              t.data(), t.size(),
++                              SQL_SCOPE_CURROW,
++                              SQL_NULLABLE);
+
+             if (r != SQL_SUCCESS) {
+                 qSqlWarning("QODBCDriver::primaryIndex: Unable to execute primary key list"_L1, d);
+@@ -2562,15 +2572,17 @@ QSqlRecord QODBCDriver::record(const QString& tablename) const
+                         SQL_ATTR_CURSOR_TYPE,
+                         (SQLPOINTER)SQL_CURSOR_FORWARD_ONLY,
+                         SQL_IS_UINTEGER);
+-    r =  SQLColumns(hStmt,
+-                     catalog.length() == 0 ? NULL : toSQLTCHAR(catalog).data(),
+-                     catalog.length(),
+-                     schema.length() == 0 ? NULL : toSQLTCHAR(schema).data(),
+-                     schema.length(),
+-                     toSQLTCHAR(table).data(),
+-                     table.length(),
+-                     NULL,
+-                     0);
++    {
++        auto c = toSQLTCHAR(catalog);
++        auto s = toSQLTCHAR(schema);
++        auto t = toSQLTCHAR(table);
++        r =  SQLColumns(hStmt,
++                        catalog.isEmpty() ? nullptr : c.data(), c.size(),
++                        schema.isEmpty()  ? nullptr : s.data(), s.size(),
++                        t.data(), t.size(),
++                        nullptr,
++                        0);
++    }
+     if (r != SQL_SUCCESS)
+         qSqlWarning("QODBCDriver::record: Unable to execute column list"_L1, d);
+
diff --git a/qt6-base.changes b/qt6-base.changes
index ccd3f94..96ff32b 100644
--- a/qt6-base.changes
+++ b/qt6-base.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Feb  8 17:48:36 UTC 2023 - Christophe Marin <christophe@krop.fr>
+
+- Fix a possible DOS in the Qt ODBC driver plugin (CVE-2023-24607):
+  * CVE-2023-24607-qtbase-6.4.diff
+
 -------------------------------------------------------------------
 Fri Jan  6 16:46:36 UTC 2023 - Christophe Marin <christophe@krop.fr>
 
diff --git a/qt6-base.spec b/qt6-base.spec
index 5c1dbcf..f90e839 100644
--- a/qt6-base.spec
+++ b/qt6-base.spec
@@ -39,6 +39,7 @@ URL:            https://www.qt.io
 Source:         https://download.qt.io/official_releases/qt/%{short_version}/%{real_version}%{tar_suffix}/submodules/%{tar_name}-%{real_version}%{tar_suffix}.tar.xz
 Source99:       qt6-base-rpmlintrc
 # Patches 0-100 are upstream patches #
+Patch0:         CVE-2023-24607-qtbase-6.4.diff
 # Patches 100-200 are openSUSE and/or non-upstream(able) patches #
 Patch100:       0001-Tell-the-truth-about-private-API.patch
 %if 0%{?suse_version} == 1500