diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2020-06-22 13:46:39 +0200 |
|---|---|---|
| committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2020-06-22 14:15:08 +0000 |
| commit | dd8505ae9c64ba04ecebd62a91ad098c01fb2f40 (patch) | |
| tree | 148a9923e36feea6f52598a52e27c95e22bd21b8 | |
| parent | bd39c96c80447c1a2258933ecd2c4afe9700d7bb (diff) | |
| download | qtsvg-dd8505ae9c64ba04ecebd62a91ad098c01fb2f40.tar.gz | |
Handle empty rects
Avoids a division by zero, also we don't appear to support auto sizes,
so width and height are required attributes.
Fixes oss-fuzz issue 23588.
Change-Id: Ib3474c2ed4409977f6ffcf73088956c6c59ce4ad
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
Reviewed-by: Robert Loehning <robert.loehning@qt.io>
(cherry picked from commit 78cbbc1aa3a4802b2eeec8b5abfe196e05df1b16)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
| -rw-r--r-- | src/svg/qsvghandler.cpp | 25 |
1 files changed, 15 insertions, 10 deletions
diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp index fe79977..885ae9e 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp @@ -3058,17 +3058,27 @@ static QSvgNode *createRectNode(QSvgNode *parent, const QStringRef rx = attributes.value(QLatin1String("rx")); const QStringRef ry = attributes.value(QLatin1String("ry")); + bool ok = true; QSvgHandler::LengthType type; - qreal nwidth = parseLength(width, type, handler); + qreal nwidth = parseLength(width, type, handler, &ok); + if (!ok) + return nullptr; nwidth = convertToPixels(nwidth, true, type); - - qreal nheight = parseLength(height, type, handler); + qreal nheight = parseLength(height, type, handler, &ok); + if (!ok) + return nullptr; nheight = convertToPixels(nheight, true, type); qreal nrx = toDouble(rx); qreal nry = toDouble(ry); - QRectF bounds(toDouble(x), toDouble(y), - nwidth, nheight); + QRectF bounds(toDouble(x), toDouble(y), nwidth, nheight); + if (bounds.isEmpty()) + return nullptr; + + if (!rx.isEmpty() && ry.isEmpty()) + nry = nrx; + else if (!ry.isEmpty() && rx.isEmpty()) + nrx = nry; //9.2 The 'rect' element clearly specifies it // but the case might in fact be handled because @@ -3078,11 +3088,6 @@ static QSvgNode *createRectNode(QSvgNode *parent, if (nry > bounds.height()/2) nry = bounds.height()/2; - if (!rx.isEmpty() && ry.isEmpty()) - nry = nrx; - else if (!ry.isEmpty() && rx.isEmpty()) - nrx = nry; - //we draw rounded rect from 0...99 //svg from 0...bounds.width()/2 so we're adjusting the //coordinates |