diff options
| author | Robert Loehning <robert.loehning@qt.io> | 2020-08-18 14:41:01 +0200 |
|---|---|---|
| committer | Robert Loehning <robert.loehning@qt.io> | 2020-08-19 10:19:01 +0000 |
| commit | 26357baa20e363839587cce04fc4c91c101a3d3f (patch) | |
| tree | f1615afda0b0c4a1094148b218bd0357dd2eb98d | |
| parent | 7cb72504765a8196c524c7b9ccac6d67a1728ab5 (diff) | |
| download | qtsvg-26357baa20e363839587cce04fc4c91c101a3d3f.tar.gz | |
Fix check against division by zero
The squared values must not be zero. Since both are qreal,
this can happen even when neither of them is zero itself.
Fixes: oss-fuzz-24738
Change-Id: I61b2bc891e7e3831d4b6ee68b467db28c4f877d4
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
(cherry picked from commit 7f1945c5fb492505db9a43853987eaf805291919)
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
| -rw-r--r-- | src/svg/qsvghandler.cpp | 9 | ||||
| -rw-r--r-- | tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp | 20 |
2 files changed, 25 insertions, 4 deletions
diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp index 1a0d0f2..0190e69 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp @@ -1529,7 +1529,10 @@ static void pathArc(QPainterPath &path, qreal y, qreal curx, qreal cury) { - if (!rx || !ry) + const qreal Pr1 = rx * rx; + const qreal Pr2 = ry * ry; + + if (!Pr1 || !Pr2) return; qreal sin_th, cos_th; @@ -1538,7 +1541,7 @@ static void pathArc(QPainterPath &path, qreal d, sfactor, sfactor_sq; qreal th0, th1, th_arc; int i, n_segs; - qreal dx, dy, dx1, dy1, Pr1, Pr2, Px, Py, check; + qreal dx, dy, dx1, dy1, Px, Py, check; rx = qAbs(rx); ry = qAbs(ry); @@ -1550,8 +1553,6 @@ static void pathArc(QPainterPath &path, dy = (cury - y) / 2.0; dx1 = cos_th * dx + sin_th * dy; dy1 = -sin_th * dx + cos_th * dy; - Pr1 = rx * rx; - Pr2 = ry * ry; Px = dx1 * dx1; Py = dy1 * dy1; /* Spec : check if radii are large enough */ diff --git a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp index 2acc06f..81c57f7 100644 --- a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp +++ b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp @@ -81,6 +81,8 @@ private slots: void styleSheet(); void duplicateStyleId(); void oss_fuzz_23731(); + void oss_fuzz_24131(); + void oss_fuzz_24738(); #ifndef QT_NO_COMPRESS void testGzLoading(); @@ -1534,5 +1536,23 @@ void tst_QSvgRenderer::oss_fuzz_23731() QSvgRenderer().load(QByteArray("<svg><path d=\"A4------\">")); } +void tst_QSvgRenderer::oss_fuzz_24131() +{ + // when configured with "-sanitize undefined", this resulted in: + // "runtime error: -nan is outside the range of representable values of type 'int'" + // runtime error: signed integer overflow: -2147483648 + -2147483648 cannot be represented in type 'int' + QImage image(377, 233, QImage::Format_RGB32); + QPainter painter(&image); + QSvgRenderer renderer(QByteArray("<svg><path d=\"M- 4 44044404444E-334-\"/></svg>")); + renderer.render(&painter); +} + +void tst_QSvgRenderer::oss_fuzz_24738() +{ + // when configured with "-sanitize undefined", this resulted in: + // "runtime error: division by zero" + QSvgRenderer().load(QByteArray("<svg><path d=\"a 2 1e-212.....\">")); +} + QTEST_MAIN(tst_QSvgRenderer) #include "tst_qsvgrenderer.moc" |