Fix oom in QSvgTinyDocument::load

Avoid overflowing the size integer. Fixes ozz-fuzz 23606 Change-Id: Iaae2c1e78e59737bba0e34791de4a3a92677f319 Reviewed-by: Robert Loehning <robert.loehning@qt.io> Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io> (cherry picked from commit 99a86c1bc347092d76f1288d901b30643b8eea6c) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2020-06-23 11:24:47 +0200
committer: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> 2020-06-23 13:52:35 +0000
commit: 33081370e5ea540160d3239c23ff34594a15a701 (patch)
tree: 55d111e2c89b7ba532d48dc2f2068ee160743777
parent: d439739e15c100f257a1a1842770c4282dc9666e (diff)
download: qtsvg-33081370e5ea540160d3239c23ff34594a15a701.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/src/svg/qsvgtinydocument.cpp b/src/svg/qsvgtinydocument.cpp
index 9e5da82..295f535 100644
--- a/src/svg/qsvgtinydocument.cpp
+++ b/src/svg/qsvgtinydocument.cpp
@@ -127,6 +127,12 @@ QByteArray qt_inflateGZipDataFrom(QIODevice *device)
         do {
             // Prepare the destination buffer
             int oldSize = destination.size();
+            if (oldSize > INT_MAX - CHUNK_SIZE) {
+                inflateEnd(&zlibStream);
+                qCWarning(lcSvgHandler, "Error while inflating gzip file: integer size overflow");
+                return destination;
+            }
+
             destination.resize(oldSize + CHUNK_SIZE);
             zlibStream.next_out = reinterpret_cast<Bytef*>(
                     destination.data() + oldSize - zlibStream.avail_out);
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2020-06-23 11:24:47 +0200
committer	Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>	2020-06-23 13:52:35 +0000
commit	33081370e5ea540160d3239c23ff34594a15a701 (patch)
tree	55d111e2c89b7ba532d48dc2f2068ee160743777
parent	d439739e15c100f257a1a1842770c4282dc9666e (diff)
download	qtsvg-33081370e5ea540160d3239c23ff34594a15a701.tar.gz