SVG Image reading: Reject oversize svgs as corruptv5.12.12 5.12.12 5.12

Add an upper limit for height and width at 0xffff, same as jpeg. Fixes: QTBUG-95891 Change-Id: I0dbc80dab3aab9b4743548772fb63fa69ea21f8a Reviewed-by: Robert Löhning <robert.loehning@qt.io> Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> (cherry picked from commit e544d8e457d52b543cae5c988f81237c7d6608da) Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
author: Eirik Aavitsland <eirik.aavitsland@qt.io> 2021-10-25 14:43:09 +0200
committer: Eirik Aavitsland <eirik.aavitsland@qt.io> 2021-11-08 22:03:27 +0000
commit: 85485845bdf502674edf4d5b840f0194e62da7bb (patch)
tree: e8bdf0455f4322b57e77d2fb5f1aba25e1a5f45b
parent: a3b753c2d077313fc9eb93af547051b956e383fc (diff)
download: qtsvg-5.12.12.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/src/plugins/imageformats/svg/qsvgiohandler.cpp b/src/plugins/imageformats/svg/qsvgiohandler.cpp
index 5e96d27..5011da9 100644
--- a/src/plugins/imageformats/svg/qsvgiohandler.cpp
+++ b/src/plugins/imageformats/svg/qsvgiohandler.cpp
@@ -177,6 +177,8 @@ bool QSvgIOHandler::read(QImage *image)
             bounds = t.mapRect(bounds);
         }
         if (image->size() != finalSize || !image->reinterpretAsFormat(QImage::Format_ARGB32_Premultiplied)) {
+            if (qMax(finalSize.width(), finalSize.height()) > 0xffff)
+                return false; // Assume corrupted file
             *image = QImage(finalSize, QImage::Format_ARGB32_Premultiplied);
             if (!finalSize.isEmpty() && image->isNull()) {
                 qWarning("QSvgIOHandler: QImage allocation failed (size %i x %i)", finalSize.width(), finalSize.height());
author	Eirik Aavitsland <eirik.aavitsland@qt.io>	2021-10-25 14:43:09 +0200
committer	Eirik Aavitsland <eirik.aavitsland@qt.io>	2021-11-08 22:03:27 +0000
commit	85485845bdf502674edf4d5b840f0194e62da7bb (patch)
tree	e8bdf0455f4322b57e77d2fb5f1aba25e1a5f45b
parent	a3b753c2d077313fc9eb93af547051b956e383fc (diff)
download	qtsvg-5.12.12.tar.gz