diff options
| author | Robert Loehning <robert.loehning@qt.io> | 2020-07-20 19:07:11 +0200 |
|---|---|---|
| committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2020-07-29 16:16:48 +0000 |
| commit | 4b1514df3c1f9c10d883b2dffff856321ccccca0 (patch) | |
| tree | 6786c7bd9a4bb3c0ab9127cf3180da64b0c327f5 | |
| parent | 083d953e3c8db0bc4259236a9bd9a30562048926 (diff) | |
| download | qtsvg-4b1514df3c1f9c10d883b2dffff856321ccccca0.tar.gz | |
Avoid endless recursion when inflating gzip
Fixes: oss-fuzz-24146
Change-Id: I52a974e6a0694fb4afb50d932b2e99917c3034b2
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
(cherry picked from commit 8368111c76471a7415c29ba293848003fca2a4af)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
| -rw-r--r-- | src/svg/qsvgtinydocument.cpp | 8 | ||||
| -rw-r--r-- | tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp | 3 |
2 files changed, 6 insertions, 5 deletions
diff --git a/src/svg/qsvgtinydocument.cpp b/src/svg/qsvgtinydocument.cpp index b77695b..cf7ba75 100644 --- a/src/svg/qsvgtinydocument.cpp +++ b/src/svg/qsvgtinydocument.cpp @@ -145,8 +145,7 @@ QByteArray qt_inflateGZipDataFrom(QIODevice *device) inflateEnd(&zlibStream); qCWarning(lcSvgHandler, "Error while inflating gzip file: %s", (zlibStream.msg != NULL ? zlibStream.msg : "Unknown error")); - destination.chop(zlibStream.avail_out); - return destination; + return QByteArray(); } } @@ -204,7 +203,10 @@ QSvgTinyDocument * QSvgTinyDocument::load(const QByteArray &contents) // Check for gzip magic number and inflate if appropriate if (contents.startsWith("\x1f\x8b")) { QBuffer buffer(const_cast<QByteArray *>(&contents)); - return load(qt_inflateGZipDataFrom(&buffer)); + const QByteArray inflated = qt_inflateGZipDataFrom(&buffer); + if (inflated.isNull()) + return nullptr; + return load(inflated); } #endif diff --git a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp index efd80dd..2acc06f 100644 --- a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp +++ b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp @@ -759,10 +759,9 @@ void tst_QSvgRenderer::testGzHelper_data() "cbcfe70200a865327e040000001f8b08001c2a934800034b4a2ce20200e9b3a20404000000")) << QByteArray("foo\nbar\n"); - // We should still get data of the first member if subsequent members are corrupt QTest::newRow("corruptedSecondMember") << QByteArray::fromHex(QByteArray("1f8b08001c2a934800034b" "cbcfe70200a865327e040000001f8c08001c2a934800034b4a2ce20200e9b3a20404000000")) - << QByteArray("foo\n"); + << QByteArray(); } |