diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2020-06-23 11:24:47 +0200 |
---|---|---|
committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2020-06-23 13:52:35 +0000 |
commit | 44d3c3535038d3a90142d718ff833f5f1ac2720a (patch) | |
tree | 42244feb1220c114614bbf75e17f122298fc7b12 | |
parent | 7479f2212e9280f887c11b41cb0907f1db3e0233 (diff) | |
download | qtsvg-44d3c3535038d3a90142d718ff833f5f1ac2720a.tar.gz |
Fix oom in QSvgTinyDocument::load
Avoid overflowing the size integer.
Fixes ozz-fuzz 23606
Change-Id: Iaae2c1e78e59737bba0e34791de4a3a92677f319
Reviewed-by: Robert Loehning <robert.loehning@qt.io>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
(cherry picked from commit 99a86c1bc347092d76f1288d901b30643b8eea6c)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
-rw-r--r-- | src/svg/qsvgtinydocument.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/svg/qsvgtinydocument.cpp b/src/svg/qsvgtinydocument.cpp index 6889f7b..695e7c6 100644 --- a/src/svg/qsvgtinydocument.cpp +++ b/src/svg/qsvgtinydocument.cpp @@ -125,6 +125,12 @@ QByteArray qt_inflateGZipDataFrom(QIODevice *device) do { // Prepare the destination buffer int oldSize = destination.size(); + if (oldSize > INT_MAX - CHUNK_SIZE) { + inflateEnd(&zlibStream); + qCWarning(lcSvgHandler, "Error while inflating gzip file: integer size overflow"); + return destination; + } + destination.resize(oldSize + CHUNK_SIZE); zlibStream.next_out = reinterpret_cast<Bytef*>( destination.data() + oldSize - zlibStream.avail_out); |