SVG Image reading: Reject oversize svgs as corrupt

Add an upper limit for height and width at 0xffff, same as jpeg.

Fixes: QTBUG-95891
Change-Id: I0dbc80dab3aab9b4743548772fb63fa69ea21f8a
Reviewed-by: Robert Löhning <robert.loehning@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
(cherry picked from commit e544d8e457d52b543cae5c988f81237c7d6608da)
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>

1 files changed, 2 insertions, 0 deletions

diff --git a/src/plugins/imageformats/svg/qsvgiohandler.cpp b/src/plugins/imageformats/svg/qsvgiohandler.cpp
index 7ec20e4..edc30a5 100644
--- a/src/plugins/imageformats/svg/qsvgiohandler.cpp
+++ b/src/plugins/imageformats/svg/qsvgiohandler.cpp
@@ -182,6 +182,8 @@ bool QSvgIOHandler::read(QImage *image)
             bounds = t.mapRect(bounds);
         }
         if (image->size() != finalSize || !image->reinterpretAsFormat(QImage::Format_ARGB32_Premultiplied)) {
+            if (qMax(finalSize.width(), finalSize.height()) > 0xffff)
+                return false; // Assume corrupted file
             *image = QImage(finalSize, QImage::Format_ARGB32_Premultiplied);
             if (!finalSize.isEmpty() && image->isNull()) {
                 qWarning("QSvgIOHandler: QImage allocation failed (size %i x %i)", finalSize.width(), finalSize.height());