diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2020-06-23 10:27:37 +0200 |
|---|---|---|
| committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2020-06-24 15:22:23 +0000 |
| commit | d4bcb553695f7ac2659cd2f4eb3b534d0f9f11ca (patch) | |
| tree | 880ef07fda053c35baf667c00e82f64a47c6cf60 | |
| parent | 33081370e5ea540160d3239c23ff34594a15a701 (diff) | |
| download | qtsvg-d4bcb553695f7ac2659cd2f4eb3b534d0f9f11ca.tar.gz | |
Fix stack overflow in QSvgHandler::resolveGradients
Add a maximum to how deep it will nest.
Fixes oss-fuzz 23643
Change-Id: I6183c04f65a539a6c7df42bc7346a86ee58aca6c
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
(cherry picked from commit 6b86b5de893e9885f8288af5a096444b30fa2628)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
| -rw-r--r-- | src/svg/qsvghandler.cpp | 10 | ||||
| -rw-r--r-- | src/svg/qsvghandler_p.h | 2 |
2 files changed, 7 insertions, 5 deletions
diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp index fc1f7d3..7205cda 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp @@ -3861,16 +3861,17 @@ bool QSvgHandler::endElement(const QStringRef &localName) return true; } -void QSvgHandler::resolveGradients(QSvgNode *node) +void QSvgHandler::resolveGradients(QSvgNode *node, int nestedDepth) { if (!node || (node->type() != QSvgNode::DOC && node->type() != QSvgNode::G && node->type() != QSvgNode::DEFS && node->type() != QSvgNode::SWITCH)) { return; } + QSvgStructureNode *structureNode = static_cast<QSvgStructureNode *>(node); - QList<QSvgNode *> ren = structureNode->renderers(); - for (QList<QSvgNode *>::iterator it = ren.begin(); it != ren.end(); ++it) { + const QList<QSvgNode *> ren = structureNode->renderers(); + for (auto it = ren.begin(); it != ren.end(); ++it) { QSvgFillStyle *fill = static_cast<QSvgFillStyle *>((*it)->styleProperty(QSvgStyleProperty::FILL)); if (fill && !fill->isGradientResolved()) { QString id = fill->gradientId(); @@ -3895,7 +3896,8 @@ void QSvgHandler::resolveGradients(QSvgNode *node) } } - resolveGradients(*it); + if (nestedDepth < 2048) + resolveGradients(*it, nestedDepth + 1); } } diff --git a/src/svg/qsvghandler_p.h b/src/svg/qsvghandler_p.h index d76e56c..d72aa99 100644 --- a/src/svg/qsvghandler_p.h +++ b/src/svg/qsvghandler_p.h @@ -178,7 +178,7 @@ private: QCss::Parser m_cssParser; #endif void parse(); - void resolveGradients(QSvgNode *node); + void resolveGradients(QSvgNode *node, int nestedDepth = 0); void resolveNodes(); QPen m_defaultPen; |