diff options
| author | Robert Loehning <robert.loehning@qt.io> | 2020-08-18 14:41:01 +0200 |
|---|---|---|
| committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2020-08-18 20:56:46 +0000 |
| commit | bc83d241c0d7754cd636eef4db3cd359c35b4297 (patch) | |
| tree | ad056617b2bf8e0c4b3bbc665f820a0ec1320629 | |
| parent | 1aadb618e89015fa27672b555a127dc6b726720c (diff) | |
| download | qtsvg-bc83d241c0d7754cd636eef4db3cd359c35b4297.tar.gz | |
Fix check against division by zero
The squared values must not be zero. Since both are qreal,
this can happen even when neither of them is zero itself.
Fixes: oss-fuzz-24738
Change-Id: I61b2bc891e7e3831d4b6ee68b467db28c4f877d4
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
(cherry picked from commit 7f1945c5fb492505db9a43853987eaf805291919)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
| -rw-r--r-- | src/svg/qsvghandler.cpp | 9 | ||||
| -rw-r--r-- | tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp | 8 |
2 files changed, 13 insertions, 4 deletions
diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp index 9db653f..c937254 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp @@ -1533,7 +1533,10 @@ static void pathArc(QPainterPath &path, qreal y, qreal curx, qreal cury) { - if (!rx || !ry) + const qreal Pr1 = rx * rx; + const qreal Pr2 = ry * ry; + + if (!Pr1 || !Pr2) return; qreal sin_th, cos_th; @@ -1542,7 +1545,7 @@ static void pathArc(QPainterPath &path, qreal d, sfactor, sfactor_sq; qreal th0, th1, th_arc; int i, n_segs; - qreal dx, dy, dx1, dy1, Pr1, Pr2, Px, Py, check; + qreal dx, dy, dx1, dy1, Px, Py, check; rx = qAbs(rx); ry = qAbs(ry); @@ -1554,8 +1557,6 @@ static void pathArc(QPainterPath &path, dy = (cury - y) / 2.0; dx1 = cos_th * dx + sin_th * dy; dy1 = -sin_th * dx + cos_th * dy; - Pr1 = rx * rx; - Pr2 = ry * ry; Px = dx1 * dx1; Py = dy1 * dy1; /* Spec : check if radii are large enough */ diff --git a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp index 99e298b..8f1f03b 100644 --- a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp +++ b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp @@ -84,6 +84,7 @@ private slots: void duplicateStyleId(); void oss_fuzz_23731(); void oss_fuzz_24131(); + void oss_fuzz_24738(); #ifndef QT_NO_COMPRESS void testGzLoading(); @@ -1624,5 +1625,12 @@ void tst_QSvgRenderer::oss_fuzz_24131() renderer.render(&painter); } +void tst_QSvgRenderer::oss_fuzz_24738() +{ + // when configured with "-sanitize undefined", this resulted in: + // "runtime error: division by zero" + QSvgRenderer().load(QByteArray("<svg><path d=\"a 2 1e-212.....\">")); +} + QTEST_MAIN(tst_QSvgRenderer) #include "tst_qsvgrenderer.moc" |