[High] Patch qt5-qtbase for CVE-2025-6558 (microsoft#14367)

Co-authored-by: jslobodzian <[email protected]>

Author: kevin-b-lockwood

SPECS/qt5-qtbase/CVE-2025-6558.patch

@@ -0,0 +1,97 @@
+From 33defc607f50e3f47442c716df697290a5380d4c Mon Sep 17 00:00:00 2001
+From: Geoff Lang <[email protected]>
+Date: Wed, 25 Jun 2025 13:17:47 -0400
+Subject: [PATCH] Validate buffers bound for transform feedback are not
+ modified.
+
+Upstream Patch Link: https://chromium.googlesource.com/angle/angle/+/2f8193ecfe1ed464374ae56235cfdc112343f9c3
+
+(Edited/backported by <[email protected]> for clean application)
+
+The ES spec says it is undefined to write to a buffer that is currently
+being used for transform feedback output but recommends generating an
+error. Generate INVALID_OPERATION in this case.
+
+Bug: chromium:427162086
+Change-Id: I727d18c2035509fe2e5d60680eb5198e40a60e33
+Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/6673310
+Commit-Queue: Geoff Lang <[email protected]>
+Reviewed-by: Vasiliy Telezhnikov <[email protected]>
+---
+ .../angle/src/libANGLE/TransformFeedback.cpp  | 12 +++++++++++
+ .../angle/src/libANGLE/TransformFeedback.h    |  4 ++++
+ .../angle/src/libANGLE/validationES2.cpp      | 20 +++++++++++++++++++
+ 3 files changed, 36 insertions(+)
+
+diff --git a/src/3rdparty/angle/src/libANGLE/TransformFeedback.cpp b/src/3rdparty/angle/src/libANGLE/TransformFeedback.cpp
+index 99235deb..4f9b3110 100644
+--- a/src/3rdparty/angle/src/libANGLE/TransformFeedback.cpp
++++ b/src/3rdparty/angle/src/libANGLE/TransformFeedback.cpp
+@@ -197,6 +197,18 @@ void TransformFeedback::bindIndexedBuffer(const Context *context,
+     mImplementation->bindIndexedBuffer(index, mState.mIndexedBuffers[index]);
+ }
+ 
++bool TransformFeedback::isBufferBound(BufferID bufferID) const
++{
++    for (const auto &buffer : mState.mIndexedBuffers)
++    {
++        if (buffer.id() == bufferID)
++        {
++            return true;
++        }
++    }
++    return false;
++}
++
+ const OffsetBindingPointer<Buffer> &TransformFeedback::getIndexedBuffer(size_t index) const
+ {
+     ASSERT(index < mState.mIndexedBuffers.size());
+diff --git a/src/3rdparty/angle/src/libANGLE/TransformFeedback.h b/src/3rdparty/angle/src/libANGLE/TransformFeedback.h
+index 2b35d43f..e1fd53ce 100644
+--- a/src/3rdparty/angle/src/libANGLE/TransformFeedback.h
++++ b/src/3rdparty/angle/src/libANGLE/TransformFeedback.h
+@@ -84,6 +84,10 @@ class TransformFeedback final : public RefCountObject, public LabeledObject
+     const OffsetBindingPointer<Buffer> &getIndexedBuffer(size_t index) const;
+     size_t getIndexedBufferCount() const;
+ 
++    // Returns true if the buffer is bound to any of the indexed binding points in this transform
++    // feedback.
++    bool isBufferBound(BufferID bufferID) const;
++
+     void detachBuffer(const Context *context, GLuint bufferName);
+ 
+     rx::TransformFeedbackImpl *getImplementation();
+diff --git a/src/3rdparty/angle/src/libANGLE/validationES2.cpp b/src/3rdparty/angle/src/libANGLE/validationES2.cpp
+index 5e505aa6..0469728c 100644
+--- a/src/3rdparty/angle/src/libANGLE/validationES2.cpp
++++ b/src/3rdparty/angle/src/libANGLE/validationES2.cpp
+@@ -4220,6 +4220,26 @@ bool ValidateBufferData(ValidationContext *context,
+         return false;
+     }
+ 
++    // Do some additional WebGL-specific validation
++    if (ANGLE_UNLIKELY(context->isWebGL()))
++    {
++        if (buffer->hasWebGLXFBBindingConflict(true))
++        {
++            ANGLE_VALIDATION_ERR(context, InvalidOperation(), BufferBoundForTransformFeedback);
++            return false;
++        }
++
++        const TransformFeedback *transformFeedbackObject =
++            context->getState().getCurrentTransformFeedback();
++        if (transformFeedbackObject && transformFeedbackObject->isActive() &&
++            !transformFeedbackObject->isPaused() &&
++            transformFeedbackObject->isBufferBound(buffer->id()))
++        {
++            ANGLE_VALIDATION_ERR(context, InvalidOperation(), BufferBoundForTransformFeedback);
++            return false;
++        }
++    }
++
+     return true;
+ }
+ 
+-- 
+2.34.1
+

SPECS/qt5-qtbase/qt5-qtbase.spec

@@ -33,7 +33,7 @@
 Name:         qt5-qtbase
 Summary:      Qt5 - QtBase components
 Version:      5.12.11
-Release:      16%{?dist}
+Release:      17%{?dist}
 # See LICENSE.GPL3-EXCEPT.txt, for exception details
 License:      GFDL AND LGPLv3 AND GPLv2 AND GPLv3 with exceptions AND QT License Agreement 4.0
 Vendor:       Microsoft Corporation
@@ -168,6 +168,7 @@ Patch93: CVE-2022-25255.patch
 Patch94: CVE-2024-25580.patch
 Patch95: CVE-2023-34410.patch
 Patch96: CVE-2025-30348.patch
+Patch97: CVE-2025-6558.patch
 
 # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires.
 # Those themes are there for platform integration. If the required libraries are
@@ -777,6 +778,9 @@ fi
 %{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QXdgDesktopPortalThemePlugin.cmake
 
 %changelog
+* Mon Jul 21 2025 Kevin Lockwood <[email protected]> - 5.12.11-17
+- Fix CVE-2025-6558
+
 * Fri Jun 13 2025 Jyoti Kanase <[email protected]> - 5.12.11-16
 - Fix CVE-2025-30348