microsoft · jslobodzian · Oct 17, 2025 · Oct 7, 2025 · Oct 9, 2025 · Oct 13, 2025
@@ -0,0 +1,112 @@
+From b4112e9c8ff75ca03de65236058af41598308ca3 Mon Sep 17 00:00:00 2001
+From: AllSpark <[email protected]>
+Date: Tue, 7 Oct 2025 10:08:13 +0000
+Subject: [PATCH] Don't create group nodes which will be deleted anyway; add
+ test for misplaced element. Task-number: QTBUG-139961
+
+The old code first created the nodes, then checked whether their parent element has the right type and deleted them if not. This was wasted effort and could also lead to dangling pointers.
+
+Instead, first check the parent's type and only create the node if that matches.
+
+Reviewed-by: Hatem ElKharashy <[email protected]>
+Reviewed-by: Jani Heikkinen <[email protected]>
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: AI Backport of https://code.qt.io/cgit/qt/qtsvg.git/patch/?id=6a6273126770006232e805cf1631f93d4919b788
+---
+ src/svg/qsvghandler.cpp                      | 20 ++++++++------
+ tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp | 29 ++++++++++++++++++++
+ 2 files changed, 40 insertions(+), 9 deletions(-)
+
+diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
+index 0b3341a..ed6258d 100644
+--- a/src/svg/qsvghandler.cpp
++++ b/src/svg/qsvghandler.cpp
+@@ -3730,11 +3730,12 @@ bool QSvgHandler::startElement(const QString &localName,
+
+     if (FactoryMethod method = findGroupFactory(localName)) {
+         //group
+-        node = method(m_doc ? m_nodes.top() : 0, attributes, this);
+-        Q_ASSERT(node);
+         if (!m_doc) {
+-            Q_ASSERT(node->type() == QSvgNode::DOC);
+-            m_doc = static_cast<QSvgTinyDocument*>(node);
++            node = method(nullptr, attributes, this);
++            if (node) {
++                Q_ASSERT(node->type() == QSvgNode::DOC);
++                m_doc = static_cast<QSvgTinyDocument*>(node);
++            }
+         } else {
+             switch (m_nodes.top()->type()) {
+             case QSvgNode::DOC:
+@@ -3742,16 +3743,17 @@ bool QSvgHandler::startElement(const QString &localName,
+             case QSvgNode::DEFS:
+             case QSvgNode::SWITCH:
+             {
+-                QSvgStructureNode *group =
+-                    static_cast<QSvgStructureNode*>(m_nodes.top());
+-                group->addChild(node, someId(attributes));
++                node = method(m_nodes.top(), attributes, this);
++                if (node) {
++                    QSvgStructureNode *group =
++                        static_cast<QSvgStructureNode*>(m_nodes.top());
++                    group->addChild(node, someId(attributes));
++                }
+             }
+                 break;
+             default:
+                 const QByteArray msg = QByteArrayLiteral("Could not add child element to parent element because the types are incorrect.");
+                 qCWarning(lcSvgHandler, "%s", prefixMessage(msg, xml).constData());
+-                delete node;
+-                node = 0;
+                 break;
+             }
+         }
+diff --git a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
+index 81c57f7..a0a3d6d 100644
+--- a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
++++ b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
+@@ -83,6 +83,7 @@ private slots:
+     void oss_fuzz_23731();
+     void oss_fuzz_24131();
+     void oss_fuzz_24738();
++    void testMisplacedElement();
+
+ #ifndef QT_NO_COMPRESS
+     void testGzLoading();
+@@ -1554,5 +1555,33 @@ void tst_QSvgRenderer::oss_fuzz_24738()
+     QSvgRenderer().load(QByteArray("<svg><path d=\"a 2 1e-212.....\">"));
+ }
+
++
++void tst_QSvgRenderer::testMisplacedElement()
++{
++    // This input caused a QSvgPattern node to be created with a QSvgPatternStyle referencing to it.
++    // The code then detected that the <pattern> element is misplaced in the <text> element and
++    // deleted it. That left behind the QSvgPatternStyle pointing to the deleted QSvgPattern. That
++    // was reported when running the test with ASAN or UBSAN.
++    QByteArray svg(R"(<svg>
++                      <text><pattern id="ptn" width="4" height="4"/></text>
++                      <g fill="url(#ptn) "/>
++                      </svg>)");
++
++    QImage image(20, 20, QImage::Format_ARGB32_Premultiplied);
++    image.fill(Qt::green);
++    QImage refImage = image.copy();
++
++    QTest::ignoreMessage(QtWarningMsg, "<input>:2:68: Could not add child element to parent "
++                                       "element because the types are incorrect.");
++    QTest::ignoreMessage(QtWarningMsg, "<input>:4:28: Could not resolve property: #ptn");
++
++    QSvgRenderer renderer(svg);
++    QPainter painter(&image);
++    renderer.render(&painter);
++    QCOMPARE(image, refImage);
++}
++
++}
++
+ QTEST_MAIN(tst_QSvgRenderer)
+ #include "tst_qsvgrenderer.moc"
+-- 
+2.45.4
+
@@ -3,7 +3,7 @@
 Summary:        Qt5 - Support for rendering and displaying SVG
 Name:           qt5-qtsvg
 Version:        5.12.11
-Release:        6%{?dist}
+Release:        7%{?dist}
 # See LICENSE.GPL3-EXCEPT.txt, for exception details
 License:        GFDL AND GPLv2+ WITH exceptions AND LGPLv2.1+
 Vendor:         Microsoft Corporation
@@ -16,6 +16,7 @@ Patch101:       CVE-2018-21035.nopatch
 # Vulnerability is limited to the Windows OS.
 Patch102:       CVE-2022-25634.nopatch
 Patch103:       CVE-2023-32573.patch
+Patch104:       CVE-2025-10729.patch
 %{?_qt5:Requires: %{_qt5}%{?_isa} = %{_qt5_version}}
 BuildRequires:  qt5-qtbase-devel >= %{version}
 BuildRequires:  qt5-qtbase-private-devel
@@ -84,6 +85,9 @@ popd
 %{_qt5_examplesdir}/
 
 %changelog
+* Tue Oct 07 2025 Azure Linux Security Servicing Account <[email protected]> - 5.12.11-7
+- Patch for CVE-2025-10729
+
 * Mon Aug 28 2023 Andrew Phelps <[email protected]> - 5.12.11-6
 - Bump release to rebuild with qt5-qtbase >= 5.12.11-9, which contains fix for CVE-2023-37369
 - Lint spec.