An out-of-bounds write in QtPrivate::QCommonArrayOps<QPainterPath::Element>::growAppend (called from QPainterPath::addPath and QPathClipper::intersect). External Reference: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37025
Created mingw-qt5-qtbase tracking bugs for this issue: Affects: fedora-all [bug 2037342] Created qt3 tracking bugs for this issue: Affects: fedora-all [bug 2037340] Created qt5 tracking bugs for this issue: Affects: fedora-all [bug 2037341] Created qt5-qtbase tracking bugs for this issue: Affects: fedora-all [bug 2037344] Created qt6-qtbase tracking bugs for this issue: Affects: fedora-all [bug 2037345]
Note that there seems to be some issues with the oss-fuzz bot that have lead to this issue being closed and marked as resolved before it was actually resolved upstream. The series of oss-fuzz issues seems to be: 1.) https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37025 (linked in comment#0 above) qt:qtsvg_svg_qsvgrenderer_render: Crash in QtPrivate::QCommonArrayOps<QPainterPath::Element>::growAppend 2.) https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37306 qt:qtsvg_svg_qsvgrenderer_render: Crash in QtPrivate::QPodArrayOps<QPainterPath::Element>::copyAppend 3.) https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40161 qt:qtsvg_svg_qsvgrenderer_render: Crash in QtPrivate::QCommonArrayOps<QPainterPath::Element>::growAppend So all of those issues are actually caused by the same one bug.
Reference for above info: https://github.com/google/oss-fuzz/issues/6237#issuecomment-900591242 Upstream patches: 5.12 branch: https://codereview.qt-project.org/c/qt%2Fqtsvg/+/378662 6.2 branch: https://codereview.qt-project.org/c/qt%2Fqtsvg/+/378661 dev branch: https://codereview.qt-project.org/c/qt/qtsvg/+/378250 Ref: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40161#c3
Flaw summary: qtsvg did not follow the SVG spec's requirement that path parsing error out on first issue encountered. It was possible for a crafted file to cause there to be too many QPainterPath elements and a subsequent out-of-bounds write. The upstream patch introduces the error handling functionality and sets the max number of path elements to 32767.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1920 https://access.redhat.com/errata/RHSA-2022:1920
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-45930