[Development] How do I fix a vulnerability in Qt. I forward the question to someone, or should I write the code myself?

Bruno Crocamo bruno.crocamo at gmail.com
Thu Jul 9 20:11:06 CEST 2020

Thank u, Eddy.

Lars, in my first message I mentioned a link:

Here you can see the changes I made:

The changes made by me perform a reordering. This lessens the risk. But the
risk will always exist as long as there is a source of risk: the CMap

However, the change made was made in a version of Qt used in a third party

I don't know, for sure, how to make this modification official in Qt. I
believe that the best option is an analysis by a developer with more
experience about Qt. I understand that I have a minor contribution, very
punctual contribution, that does not break the code. But an analysis by
someone more experienced is required.

In fact, the Qt contribution guidelines talks about:

- "Add relevant reviewers to your change(s)";
- "If your contribution is deemed to not align with the project's vision or
goals, you should abandon the change at this point".

Thus, to make a change someone else's participation is required.

I appreciate the answer given by everyone,



Em qui., 9 de jul. de 2020 às 12:48, Thiago Macieira <
thiago.macieira at intel.com> escreveu:

> On Thursday, 9 July 2020 03:48:18 PDT Lars Knoll wrote:
> > The easiest fix for this would probably be to simply change the
> "QList<int>
> > glyph_indices;" in QFontSubset to a QSet.
> That would make the output non-deterministic. If determinism is wanted, a
> sorted container is preferable.
> --
> Thiago Macieira - thiago.macieira (AT) intel.com
>   Software Architect - Intel System Software Products
> _______________________________________________
> Development mailing list
> Development at qt-project.org
> https://lists.qt-project.org/listinfo/development
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20200709/3fecef0b/attachment.html>

More information about the Development mailing list