summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEirik Aavitsland <eirik.aavitsland@qt.io>2018-07-09 10:45:22 +0200
committerLars Knoll <lars.knoll@qt.io>2018-07-30 10:49:29 +0000
commit8c199714e9bc638fb3f6ec747fb7a23373e49335 (patch)
tree37d46783ebf5474b48a0e7bb84732e1820019424
parent59c8f354644b6016c6e0ac45e60d821544c6d4d2 (diff)
downloadqtsvg-8c199714e9bc638fb3f6ec747fb7a23373e49335.tar.gz
Fix crash when parsing malformed url reference
The parsing did not check for end of input. Change-Id: I56a478877d242146395977b767511425d2b8ced1 Reviewed-by: Lars Knoll <lars.knoll@qt.io>
-rw-r--r--src/svg/qsvghandler.cpp11
-rw-r--r--tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp26
2 files changed, 32 insertions, 5 deletions
diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
index 6d2e279..fe07d0e 100644
--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -774,16 +774,17 @@ static QVector<qreal> parsePercentageList(const QChar *&str)
static QString idFromUrl(const QString &url)
{
QString::const_iterator itr = url.constBegin();
- while ((*itr).isSpace())
+ QString::const_iterator end = url.constEnd();
+ while (itr != end && (*itr).isSpace())
++itr;
- if ((*itr) == QLatin1Char('('))
+ if (itr != end && (*itr) == QLatin1Char('('))
++itr;
- while ((*itr).isSpace())
+ while (itr != end && (*itr).isSpace())
++itr;
- if ((*itr) == QLatin1Char('#'))
+ if (itr != end && (*itr) == QLatin1Char('#'))
++itr;
QString id;
- while ((*itr) != QLatin1Char(')')) {
+ while (itr != end && (*itr) != QLatin1Char(')')) {
id += *itr;
++itr;
}
diff --git a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
index 87d24c7..a8fc9de 100644
--- a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
+++ b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
@@ -54,6 +54,8 @@ private slots:
void getSetCheck();
void inexistentUrl();
void emptyUrl();
+ void invalidUrl_data();
+ void invalidUrl();
void testStrokeWidth();
void testMapViewBoxToTarget();
void testRenderElement();
@@ -132,6 +134,30 @@ void tst_QSvgRenderer::emptyUrl()
QVERIFY(renderer.isValid());
}
+void tst_QSvgRenderer::invalidUrl_data()
+{
+ QTest::addColumn<QByteArray>("svg");
+
+ QTest::newRow("00") << QByteArray("<svg><circle fill=\"url\" /></svg>");
+ QTest::newRow("01") << QByteArray("<svg><circle fill=\"url0\" /></svg>");
+ QTest::newRow("02") << QByteArray("<svg><circle fill=\"url(0\" /></svg>");
+ QTest::newRow("03") << QByteArray("<svg><circle fill=\"url (0\" /></svg>");
+ QTest::newRow("04") << QByteArray("<svg><circle fill=\"url ( 0\" /></svg>");
+ QTest::newRow("05") << QByteArray("<svg><circle fill=\"url#\" /></svg>");
+ QTest::newRow("06") << QByteArray("<svg><circle fill=\"url#(\" /></svg>");
+ QTest::newRow("07") << QByteArray("<svg><circle fill=\"url(#\" /></svg>");
+ QTest::newRow("08") << QByteArray("<svg><circle fill=\"url(# \" /></svg>");
+ QTest::newRow("09") << QByteArray("<svg><circle fill=\"url(# 0\" /></svg>");
+}
+
+void tst_QSvgRenderer::invalidUrl()
+{
+ QFETCH(QByteArray, svg);
+
+ QSvgRenderer renderer(svg);
+ QVERIFY(renderer.isValid());
+}
+
void tst_QSvgRenderer::testStrokeWidth()
{
qreal squareSize = 30.0;