summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAllan Sandfeld Jensen <allan.jensen@qt.io>2020-06-23 17:47:03 +0200
committerQt Cherry-pick Bot <cherrypick_bot@qt-project.org>2020-06-24 15:25:51 +0000
commit6de62741019a1686e0af5d4e78b5d0f50fa18853 (patch)
tree37279b1a8f002527da7585a136226f56991797d0
parentd4bcb553695f7ac2659cd2f4eb3b534d0f9f11ca (diff)
downloadqtsvg-6de62741019a1686e0af5d4e78b5d0f50fa18853.tar.gz
Add error handling to color parsing
Also fixes undefined shift of negative values. Fixes oss-fuzz 23644 Change-Id: I08c998ebf2217cb8dc50fcb805603e01e67ad64b Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io> (cherry picked from commit 9a0d4ff631003a84205c61bd7a6ef843207f1675) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
-rw-r--r--src/svg/qsvghandler.cpp41
1 files changed, 22 insertions, 19 deletions
diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
index 7205cda..90d3a00 100644
--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -105,7 +105,7 @@ static inline QByteArray msgCouldNotResolveProperty(const QString &id, const QXm
// ======== duplicated from qcolor_p
-static inline int qsvg_h2i(char hex)
+static inline int qsvg_h2i(char hex, bool *ok = nullptr)
{
if (hex >= '0' && hex <= '9')
return hex - '0';
@@ -113,18 +113,20 @@ static inline int qsvg_h2i(char hex)
return hex - 'a' + 10;
if (hex >= 'A' && hex <= 'F')
return hex - 'A' + 10;
+ if (ok)
+ *ok = false;
return -1;
}
-static inline int qsvg_hex2int(const char *s)
+static inline int qsvg_hex2int(const char *s, bool *ok = nullptr)
{
- return (qsvg_h2i(s[0]) << 4) | qsvg_h2i(s[1]);
+ return (qsvg_h2i(s[0], ok) * 16) | qsvg_h2i(s[1], ok);
}
-static inline int qsvg_hex2int(char s)
+static inline int qsvg_hex2int(char s, bool *ok = nullptr)
{
- int h = qsvg_h2i(s);
- return (h << 4) | h;
+ int h = qsvg_h2i(s, ok);
+ return (h * 16) | h;
}
bool qsvg_get_hex_rgb(const char *name, QRgb *rgb)
@@ -134,26 +136,27 @@ bool qsvg_get_hex_rgb(const char *name, QRgb *rgb)
name++;
int len = qstrlen(name);
int r, g, b;
+ bool ok = true;
if (len == 12) {
- r = qsvg_hex2int(name);
- g = qsvg_hex2int(name + 4);
- b = qsvg_hex2int(name + 8);
+ r = qsvg_hex2int(name, &ok);
+ g = qsvg_hex2int(name + 4, &ok);
+ b = qsvg_hex2int(name + 8, &ok);
} else if (len == 9) {
- r = qsvg_hex2int(name);
- g = qsvg_hex2int(name + 3);
- b = qsvg_hex2int(name + 6);
+ r = qsvg_hex2int(name, &ok);
+ g = qsvg_hex2int(name + 3, &ok);
+ b = qsvg_hex2int(name + 6, &ok);
} else if (len == 6) {
- r = qsvg_hex2int(name);
- g = qsvg_hex2int(name + 2);
- b = qsvg_hex2int(name + 4);
+ r = qsvg_hex2int(name, &ok);
+ g = qsvg_hex2int(name + 2, &ok);
+ b = qsvg_hex2int(name + 4, &ok);
} else if (len == 3) {
- r = qsvg_hex2int(name[0]);
- g = qsvg_hex2int(name[1]);
- b = qsvg_hex2int(name[2]);
+ r = qsvg_hex2int(name[0], &ok);
+ g = qsvg_hex2int(name[1], &ok);
+ b = qsvg_hex2int(name[2], &ok);
} else {
r = g = b = -1;
}
- if ((uint)r > 255 || (uint)g > 255 || (uint)b > 255) {
+ if ((uint)r > 255 || (uint)g > 255 || (uint)b > 255 || !ok) {
*rgb = 0;
return false;
}