summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAllan Sandfeld Jensen <allan.jensen@qt.io>2020-06-23 11:24:47 +0200
committerQt Cherry-pick Bot <cherrypick_bot@qt-project.org>2020-06-23 13:52:35 +0000
commit44d3c3535038d3a90142d718ff833f5f1ac2720a (patch)
tree42244feb1220c114614bbf75e17f122298fc7b12
parent7479f2212e9280f887c11b41cb0907f1db3e0233 (diff)
downloadqtsvg-44d3c3535038d3a90142d718ff833f5f1ac2720a.tar.gz
Fix oom in QSvgTinyDocument::load
Avoid overflowing the size integer. Fixes ozz-fuzz 23606 Change-Id: Iaae2c1e78e59737bba0e34791de4a3a92677f319 Reviewed-by: Robert Loehning <robert.loehning@qt.io> Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io> (cherry picked from commit 99a86c1bc347092d76f1288d901b30643b8eea6c) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
-rw-r--r--src/svg/qsvgtinydocument.cpp6
1 files changed, 6 insertions, 0 deletions
diff --git a/src/svg/qsvgtinydocument.cpp b/src/svg/qsvgtinydocument.cpp
index 6889f7b..695e7c6 100644
--- a/src/svg/qsvgtinydocument.cpp
+++ b/src/svg/qsvgtinydocument.cpp
@@ -125,6 +125,12 @@ QByteArray qt_inflateGZipDataFrom(QIODevice *device)
do {
// Prepare the destination buffer
int oldSize = destination.size();
+ if (oldSize > INT_MAX - CHUNK_SIZE) {
+ inflateEnd(&zlibStream);
+ qCWarning(lcSvgHandler, "Error while inflating gzip file: integer size overflow");
+ return destination;
+ }
+
destination.resize(oldSize + CHUNK_SIZE);
zlibStream.next_out = reinterpret_cast<Bytef*>(
destination.data() + oldSize - zlibStream.avail_out);