diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2020-06-23 11:24:47 +0200 |
---|---|---|
committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2020-06-23 13:52:35 +0000 |
commit | 33081370e5ea540160d3239c23ff34594a15a701 (patch) | |
tree | 55d111e2c89b7ba532d48dc2f2068ee160743777 | |
parent | d439739e15c100f257a1a1842770c4282dc9666e (diff) | |
download | qtsvg-33081370e5ea540160d3239c23ff34594a15a701.tar.gz |
Fix oom in QSvgTinyDocument::load
Avoid overflowing the size integer.
Fixes ozz-fuzz 23606
Change-Id: Iaae2c1e78e59737bba0e34791de4a3a92677f319
Reviewed-by: Robert Loehning <robert.loehning@qt.io>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
(cherry picked from commit 99a86c1bc347092d76f1288d901b30643b8eea6c)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
-rw-r--r-- | src/svg/qsvgtinydocument.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/svg/qsvgtinydocument.cpp b/src/svg/qsvgtinydocument.cpp index 9e5da82..295f535 100644 --- a/src/svg/qsvgtinydocument.cpp +++ b/src/svg/qsvgtinydocument.cpp @@ -127,6 +127,12 @@ QByteArray qt_inflateGZipDataFrom(QIODevice *device) do { // Prepare the destination buffer int oldSize = destination.size(); + if (oldSize > INT_MAX - CHUNK_SIZE) { + inflateEnd(&zlibStream); + qCWarning(lcSvgHandler, "Error while inflating gzip file: integer size overflow"); + return destination; + } + destination.resize(oldSize + CHUNK_SIZE); zlibStream.next_out = reinterpret_cast<Bytef*>( destination.data() + oldSize - zlibStream.avail_out); |