From: Rafael Sadowski <rafael@sizeofvoid.org>
Subject: CVE-2025-5683: qt6-qtimageformats-6.8.3
To: ports@openbsd.org
Cc: Rafael Sadowski <rsadowski@openbsd.org>
Date: Sun, 3 Aug 2025 09:57:04 +0200

Simple diff to fix CVE-2025-5683 in qt6-qtimageformats-6.8.3.
Tested on amd64. OK?

Cheers Rafael

Index: Makefile
===================================================================
RCS file: /cvs/ports/x11/qt6/qtimageformats/Makefile,v
diff -u -p -u -p -r1.3 Makefile
--- Makefile	26 Mar 2024 07:01:39 -0000	1.3
+++ Makefile	3 Aug 2025 07:56:18 -0000
@@ -1,6 +1,7 @@
 QT6NAME =	QtImageFormats
 COMMENT =	Qt6 additional image formats
 PKGSPEC =	qt6-qtimageformats-${QT6_PKGSPEC}
+REVISION =	0
 
 WANTLIB += ${COMPILER_LIBCXX} GL Qt6Core Qt6Gui c jasper jpeg
 WANTLIB += m mng tiff webp webpdemux webpmux
Index: patches/patch-src_plugins_imageformats_icns_qicnshandler_cpp
===================================================================
RCS file: patches/patch-src_plugins_imageformats_icns_qicnshandler_cpp
diff -N patches/patch-src_plugins_imageformats_icns_qicnshandler_cpp
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_plugins_imageformats_icns_qicnshandler_cpp	3 Aug 2025 07:56:18 -0000
@@ -0,0 +1,28 @@
+https://download.qt.io/official_releases/qt/6.8/CVE-2025-5683-qtimageformats-6.8.patch
+
+Index: src/plugins/imageformats/icns/qicnshandler.cpp
+--- src/plugins/imageformats/icns/qicnshandler.cpp.orig
++++ src/plugins/imageformats/icns/qicnshandler.cpp
+@@ -323,8 +323,11 @@ static inline bool isPowOf2OrDividesBy16(quint32 u, qr
+ 
+ static inline bool isBlockHeaderValid(const ICNSBlockHeader &header, quint64 bound = 0)
+ {
+-    return header.ostype != 0 && (bound == 0
+-                || qBound(quint64(ICNSBlockHeaderSize), quint64(header.length), bound) == header.length);
++    return header.ostype != 0 &&
++        (bound == 0 ||
++            // qBound can be used but requires checking the limits first
++            // this requires less operations
++            (ICNSBlockHeaderSize <= header.length && header.length <= bound));
+ }
+ 
+ static inline bool isIconCompressed(const ICNSEntry &icon)
+@@ -869,7 +872,7 @@ bool QICNSHandler::scanDevice()
+             return false;
+ 
+         const qint64 blockDataOffset = device()->pos();
+-        if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize + filelength - blockDataOffset)) {
++        if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize - blockDataOffset + filelength)) {
+             qWarning("QICNSHandler::scanDevice(): Failed, bad header at pos %s. OSType \"%s\", length %u",
+                      QByteArray::number(blockDataOffset).constData(),
+                      nameFromOSType(blockHeader.ostype).constData(), blockHeader.length);