diff options
| author | Tarja Sundqvist <tarja.sundqvist@qt.io> | 2022-11-10 22:42:50 +0200 |
|---|---|---|
| committer | Tarja Sundqvist <tarja.sundqvist@qt.io> | 2022-11-10 22:42:50 +0200 |
| commit | 0c05780ea319ca9e9576ce3eb2ddea18b0ee975e (patch) | |
| tree | e6972a91e5714364c5068ee370c67d9b2705f000 | |
| parent | ea8154f37ca56b6b9951e2581ea1dda5cc060e57 (diff) | |
| parent | 2f369e9110afa70417691906ad637acf7542738b (diff) | |
| download | qtsvg-0c05780ea319ca9e9576ce3eb2ddea18b0ee975e.tar.gz | |
Merge remote-tracking branch 'origin/tqtc/lts-5.15.8' into tqtc/lts-5.15-opensourcev5.15.8-lts-lgpl
Change-Id: I6bfe5e884af627eb1f94853a8916b7824f964c40
| -rw-r--r-- | .qmake.conf | 2 | ||||
| -rw-r--r-- | src/plugins/imageformats/svg/qsvgiohandler.cpp | 2 | ||||
| -rw-r--r-- | src/svg/qsvghandler.cpp | 59 |
3 files changed, 28 insertions, 35 deletions
diff --git a/.qmake.conf b/.qmake.conf index 5aef150..1c703d4 100644 --- a/.qmake.conf +++ b/.qmake.conf @@ -3,4 +3,4 @@ load(qt_build_config) CONFIG += warning_clean DEFINES += QT_NO_FOREACH -MODULE_VERSION = 5.15.7 +MODULE_VERSION = 5.15.8 diff --git a/src/plugins/imageformats/svg/qsvgiohandler.cpp b/src/plugins/imageformats/svg/qsvgiohandler.cpp index 4136aaf..561e77e 100644 --- a/src/plugins/imageformats/svg/qsvgiohandler.cpp +++ b/src/plugins/imageformats/svg/qsvgiohandler.cpp @@ -182,6 +182,8 @@ bool QSvgIOHandler::read(QImage *image) bounds = t.mapRect(bounds); } if (image->size() != finalSize || !image->reinterpretAsFormat(QImage::Format_ARGB32_Premultiplied)) { + if (qMax(finalSize.width(), finalSize.height()) > 0xffff) + return false; // Assume corrupted file *image = QImage(finalSize, QImage::Format_ARGB32_Premultiplied); if (!finalSize.isEmpty() && image->isNull()) { qWarning("QSvgIOHandler: QImage allocation failed (size %i x %i)", finalSize.width(), finalSize.height()); diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp index 299efac..a5f877f 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp @@ -1626,6 +1626,7 @@ static void pathArc(QPainterPath &path, static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) { + const int maxElementCount = 0x7fff; // Assume file corruption if more path elements than this qreal x0 = 0, y0 = 0; // starting point qreal x = 0, y = 0; // current point char lastMode = 0; @@ -1633,7 +1634,8 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) const QChar *str = dataStr.constData(); const QChar *end = str + dataStr.size(); - while (str != end) { + bool ok = true; + while (ok && str != end) { while (str->isSpace() && (str + 1) != end) ++str; QChar pathElem = *str; @@ -1650,14 +1652,13 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) arg.append(0);//dummy const qreal *num = arg.constData(); int count = arg.count(); - while (count > 0) { + while (ok && count > 0) { qreal offsetX = x; // correction offsets qreal offsetY = y; // for relative commands switch (pathElem.unicode()) { case 'm': { if (count < 2) { - num++; - count--; + ok = false; break; } x = x0 = num[0] + offsetX; @@ -1674,8 +1675,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) break; case 'M': { if (count < 2) { - num++; - count--; + ok = false; break; } x = x0 = num[0]; @@ -1701,8 +1701,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) break; case 'l': { if (count < 2) { - num++; - count--; + ok = false; break; } x = num[0] + offsetX; @@ -1715,8 +1714,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) break; case 'L': { if (count < 2) { - num++; - count--; + ok = false; break; } x = num[0]; @@ -1756,8 +1754,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) break; case 'c': { if (count < 6) { - num += count; - count = 0; + ok = false; break; } QPointF c1(num[0] + offsetX, num[1] + offsetY); @@ -1773,8 +1770,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) } case 'C': { if (count < 6) { - num += count; - count = 0; + ok = false; break; } QPointF c1(num[0], num[1]); @@ -1790,8 +1786,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) } case 's': { if (count < 4) { - num += count; - count = 0; + ok = false; break; } QPointF c1; @@ -1812,8 +1807,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) } case 'S': { if (count < 4) { - num += count; - count = 0; + ok = false; break; } QPointF c1; @@ -1834,8 +1828,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) } case 'q': { if (count < 4) { - num += count; - count = 0; + ok = false; break; } QPointF c(num[0] + offsetX, num[1] + offsetY); @@ -1850,8 +1843,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) } case 'Q': { if (count < 4) { - num += count; - count = 0; + ok = false; break; } QPointF c(num[0], num[1]); @@ -1866,8 +1858,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) } case 't': { if (count < 2) { - num += count; - count = 0; + ok = false; break; } QPointF e(num[0] + offsetX, num[1] + offsetY); @@ -1887,8 +1878,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) } case 'T': { if (count < 2) { - num += count; - count = 0; + ok = false; break; } QPointF e(num[0], num[1]); @@ -1908,8 +1898,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) } case 'a': { if (count < 7) { - num += count; - count = 0; + ok = false; break; } qreal rx = (*num++); @@ -1931,8 +1920,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) break; case 'A': { if (count < 7) { - num += count; - count = 0; + ok = false; break; } qreal rx = (*num++); @@ -1953,12 +1941,15 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) } break; default: - return false; + ok = false; + break; } lastMode = pathElem.toLatin1(); + if (path.elementCount() > maxElementCount) + ok = false; } } - return true; + return ok; } static bool parseStyle(QSvgNode *node, @@ -2995,8 +2986,8 @@ static QSvgNode *createPathNode(QSvgNode *parent, QPainterPath qpath; qpath.setFillRule(Qt::WindingFill); - //XXX do error handling - parsePathDataFast(data, qpath); + if (!parsePathDataFast(data, qpath)) + qCWarning(lcSvgHandler, "Invalid path data; path truncated."); QSvgNode *path = new QSvgPath(parent, qpath); return path; |