From 4e3679f4fb038727e3f5e1cfb4a17866a9b9f22a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lisandro=20Dami=C3=A1n=20Nicanor=20P=C3=A9rez=20Meyer?=
 <perezmeyer@gmail.com>
Date: Mon, 22 May 2023 10:39:52 -0300
Subject: [PATCH] Add patch for solving CVE-2023-32763.

---
 debian/changelog                   |  3 ++
 debian/patches/cve-2023-32763.diff | 58 ++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 62 insertions(+)
 create mode 100644 debian/patches/cve-2023-32763.diff

diff --git a/debian/changelog b/debian/changelog
index f55e036..4d4c01e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,8 @@
 qt6-base (6.4.2+dfsg-8) UNRELEASED; urgency=medium
 
+  [ Lisandro Damián Nicanor Pérez Meyer ]
+  * Add patch for solving CVE-2023-32763.
+
  -- Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>  Mon, 22 May 2023 10:33:34 -0300
 
 qt6-base (6.4.2+dfsg-7) unstable; urgency=medium
diff --git a/debian/patches/cve-2023-32763.diff b/debian/patches/cve-2023-32763.diff
new file mode 100644
index 0000000..4d0f5f9
--- /dev/null
+++ b/debian/patches/cve-2023-32763.diff
@@ -0,0 +1,58 @@
+---
+ src/gui/painting/qfixed_p.h  |   17 +++++++++++++++++
+ src/gui/text/qtextlayout.cpp |    9 ++++++---
+ 2 files changed, 23 insertions(+), 3 deletions(-)
+
+--- a/src/gui/painting/qfixed_p.h
++++ b/src/gui/painting/qfixed_p.h
+@@ -18,6 +18,7 @@
+ #include <QtGui/private/qtguiglobal_p.h>
+ #include "QtCore/qdebug.h"
+ #include "QtCore/qpoint.h"
++#include "QtCore/qnumeric.h"
+ #include "QtCore/qsize.h"
+ 
+ QT_BEGIN_NAMESPACE
+@@ -136,6 +137,22 @@ constexpr inline QFixed operator+(uint i
+ constexpr inline QFixed operator-(uint i, QFixed d) { return -(d-i); }
+ // constexpr inline QFixed operator*(qreal d, QFixed d2) { return d2*d; }
+ 
++inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
++{
++    int val;
++    bool result = qAddOverflow(v1.value(), v2.value(), &val);
++    r->setValue(val);
++    return result;
++}
++
++inline bool qMulOverflow(QFixed v1, QFixed v2, QFixed *r)
++{
++    int val;
++    bool result = qMulOverflow(v1.value(), v2.value(), &val);
++    r->setValue(val);
++    return result;
++}
++
+ #ifndef QT_NO_DEBUG_STREAM
+ inline QDebug &operator<<(QDebug &dbg, QFixed f)
+ { return dbg << f.toReal(); }
+--- a/src/gui/text/qtextlayout.cpp
++++ b/src/gui/text/qtextlayout.cpp
+@@ -2105,11 +2105,14 @@ found:
+         eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
+     } else {
+         eng->minWidth = qMax(eng->minWidth, lbh.minw);
+-        eng->maxWidth += line.textWidth;
++        if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth))
++            eng->maxWidth = QFIXED_MAX;
+     }
+ 
+-    if (line.textWidth > 0 && item < eng->layoutData->items.size())
+-        eng->maxWidth += lbh.spaceData.textWidth;
++    if (line.textWidth > 0 && item < eng->layoutData->items.size()) {
++        if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, &eng->maxWidth))
++            eng->maxWidth = QFIXED_MAX;
++    }
+ 
+     line.textWidth += trailingSpace;
+     if (lbh.spaceData.length) {
diff --git a/debian/patches/series b/debian/patches/series
index 9cc6c0b..1bbf239 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,4 +1,5 @@
 # fixed in 6.5
+cve-2023-32763.diff
 upstream_Add-HPPA-detection.patch
 upstream_Add-M68k-detection.patch