diff options
author | Eirik Aavitsland <eirik.aavitsland@qt.io> | 2021-10-25 14:43:09 +0200 |
---|---|---|
committer | Eirik Aavitsland <eirik.aavitsland@qt.io> | 2021-11-08 22:00:55 +0000 |
commit | 2f369e9110afa70417691906ad637acf7542738b (patch) | |
tree | c80dbb943a5b8660a7e5d42db6d330aa33360c58 | |
parent | bbded31c55936c4f98c05c69b3b9e72b4cac5138 (diff) | |
download | qtsvg-2f369e9110afa70417691906ad637acf7542738b.tar.gz |
SVG Image reading: Reject oversize svgs as corrupt
Add an upper limit for height and width at 0xffff, same as jpeg.
Fixes: QTBUG-95891
Change-Id: I0dbc80dab3aab9b4743548772fb63fa69ea21f8a
Reviewed-by: Robert Löhning <robert.loehning@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
(cherry picked from commit e544d8e457d52b543cae5c988f81237c7d6608da)
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
-rw-r--r-- | src/plugins/imageformats/svg/qsvgiohandler.cpp | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/plugins/imageformats/svg/qsvgiohandler.cpp b/src/plugins/imageformats/svg/qsvgiohandler.cpp index 7ec20e4..edc30a5 100644 --- a/src/plugins/imageformats/svg/qsvgiohandler.cpp +++ b/src/plugins/imageformats/svg/qsvgiohandler.cpp @@ -182,6 +182,8 @@ bool QSvgIOHandler::read(QImage *image) bounds = t.mapRect(bounds); } if (image->size() != finalSize || !image->reinterpretAsFormat(QImage::Format_ARGB32_Premultiplied)) { + if (qMax(finalSize.width(), finalSize.height()) > 0xffff) + return false; // Assume corrupted file *image = QImage(finalSize, QImage::Format_ARGB32_Premultiplied); if (!finalSize.isEmpty() && image->isNull()) { qWarning("QSvgIOHandler: QImage allocation failed (size %i x %i)", finalSize.width(), finalSize.height()); |