Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch qtsvg for CVE-2025-10729 [HIGH] - branch 3.0-dev" microsoft#14879

Co-authored-by: Azure Linux Security Servicing Account <[email protected]>
Co-authored-by: akhila-guruju <[email protected]>
Co-authored-by: Kanishk Bansal <[email protected]>

Author: 4 people

SPECS/qtsvg/CVE-2025-10729.patch

@@ -0,0 +1,105 @@
+From 40e56c7fd9c3b2da25f64d63865cd014867e0be9 Mon Sep 17 00:00:00 2001
+From: AllSpark <[email protected]>
+Date: Tue, 7 Oct 2025 06:28:14 +0000
+Subject: [PATCH] Backport: Avoid creating and deleting misplaced group nodes;
+ add test for misplaced element causing dangling reference.
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: AI Backport of https://code.qt.io/cgit/qt/qtsvg.git/patch/?id=6a6273126770006232e805cf1631f93d4919b788
+---
+ src/svg/qsvghandler.cpp                      | 20 ++++++++-------
+ tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp | 27 ++++++++++++++++++++
+ 2 files changed, 38 insertions(+), 9 deletions(-)
+
+diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
+index 335500a..e6c07d7 100644
+--- a/src/svg/qsvghandler.cpp
++++ b/src/svg/qsvghandler.cpp
+@@ -3727,11 +3727,12 @@ bool QSvgHandler::startElement(const QString &localName,
+ 
+     if (FactoryMethod method = findGroupFactory(localName)) {
+         //group
+-        node = method(m_doc ? m_nodes.top() : 0, attributes, this);
+-        Q_ASSERT(node);
+         if (!m_doc) {
+-            Q_ASSERT(node->type() == QSvgNode::DOC);
+-            m_doc = static_cast<QSvgTinyDocument*>(node);
++            node = method(nullptr, attributes, this);
++            if (node) {
++                Q_ASSERT(node->type() == QSvgNode::DOC);
++                m_doc = static_cast<QSvgTinyDocument*>(node);
++            }
+         } else {
+             switch (m_nodes.top()->type()) {
+             case QSvgNode::DOC:
+@@ -3739,16 +3740,17 @@ bool QSvgHandler::startElement(const QString &localName,
+             case QSvgNode::DEFS:
+             case QSvgNode::SWITCH:
+             {
+-                QSvgStructureNode *group =
+-                    static_cast<QSvgStructureNode*>(m_nodes.top());
+-                group->addChild(node, someId(attributes));
++                node = method(m_nodes.top(), attributes, this);
++                if (node) {
++                    QSvgStructureNode *group =
++                        static_cast<QSvgStructureNode*>(m_nodes.top());
++                    group->addChild(node, someId(attributes));
++                }
+             }
+                 break;
+             default:
+                 const QByteArray msg = QByteArrayLiteral("Could not add child element to parent element because the types are incorrect.");
+                 qCWarning(lcSvgHandler, "%s", prefixMessage(msg, xml).constData());
+-                delete node;
+-                node = 0;
+                 break;
+             }
+         }
+diff --git a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
+index ec67a2b..c92e3b1 100644
+--- a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
++++ b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
+@@ -66,6 +66,7 @@ private slots:
+     void illegalAnimateTransform();
+     void tSpanLineBreak();
+ 
++    void testMisplacedElement();
+ #ifndef QT_NO_COMPRESS
+     void testGzLoading();
+     void testGzHelper_data();
+@@ -1691,6 +1692,32 @@ void tst_QSvgRenderer::imageRendering() {
+         p2.end();
+         QCOMPARE(img1, img2);
+     }
++
++void tst_QSvgRenderer::testMisplacedElement()
++{
++    // This input caused a QSvgPattern node to be created with a QSvgPatternStyle referencing to it.
++    // The code then detected that the <pattern> element is misplaced in the <text> element and
++    // deleted it. That left behind the QSvgPatternStyle pointing to the deleted QSvgPattern. That
++    // was reported when running the test with ASAN or UBSAN.
++    QByteArray svg(R"(<svg>
++                      <text><pattern id="ptn" width="4" height="4"/></text>
++                      <g fill="url(#ptn) "/>
++                      </svg>)");
++
++    QImage image(20, 20, QImage::Format_ARGB32_Premultiplied);
++    image.fill(Qt::green);
++    QImage refImage = image.copy();
++
++    QTest::ignoreMessage(QtWarningMsg, "<input>:2:68: Could not add child element to parent "
++                                       "element because the types are incorrect.");
++    QTest::ignoreMessage(QtWarningMsg, "<input>:4:28: Could not resolve property: #ptn");
++
++    QSvgRenderer renderer(svg);
++    QPainter painter(&image);
++    renderer.render(&painter);
++    QCOMPARE(image, refImage);
++}
++
+ }
+ 
+ void tst_QSvgRenderer::illegalAnimateTransform_data()
+-- 
+2.45.4
+

SPECS/qtsvg/qtsvg.spec

@@ -4,13 +4,14 @@
 Summary:        Qt6 - Support for rendering and displaying SVG
 Name:           qtsvg
 Version:        6.6.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 # See LICENSE.GPL3-EXCEPT.txt, for exception details
 License:        GFDL AND GPLv2+ WITH exceptions AND LGPLv2.1+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 URL:            https://www.qt.io
 Source0:        https://download.qt.io/archive/qt/%{majmin}/%{version}/submodules/qtsvg-everywhere-src-%{version}.tar.xz
+Patch0:         CVE-2025-10729.patch
 %{?_qt5:Requires: %{_qt}%{?_isa} = %{_qt_version}}
 BuildRequires:  qtbase-devel >= %{version}
 BuildRequires:  qtbase-private-devel
@@ -89,6 +90,9 @@ popd
 
 
 %changelog
+* Tue Oct 07 2025 Azure Linux Security Servicing Account <[email protected]> - 6.6.1-3
+- Patch for CVE-2025-10729
+
 * Mon Apr 07 2025 Andrew Phelps <[email protected]> - 6.6.1-2
 - Bump release to recompile with qtbase-devel-6.6.3