diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2020-06-22 13:46:39 +0200 |
---|---|---|
committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2020-06-22 14:21:23 +0000 |
commit | 4ff5df3635ef173de5acb42528ff9e7c13117e62 (patch) | |
tree | 65bc6b5ca2223cc56368d5e60ee0dcc72780efba | |
parent | d952a1cddd75cafd0fad2c897bc7d3b7ad77a2c4 (diff) | |
download | qtsvg-4ff5df3635ef173de5acb42528ff9e7c13117e62.tar.gz |
Handle empty rects
Avoids a division by zero, also we don't appear to support auto sizes,
so width and height are required attributes.
Fixes oss-fuzz issue 23588.
Change-Id: Ib3474c2ed4409977f6ffcf73088956c6c59ce4ad
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
Reviewed-by: Robert Loehning <robert.loehning@qt.io>
(cherry picked from commit 78cbbc1aa3a4802b2eeec8b5abfe196e05df1b16)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
-rw-r--r-- | src/svg/qsvghandler.cpp | 25 |
1 files changed, 15 insertions, 10 deletions
diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp index 0d2e28e..fc1f7d3 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp @@ -3062,17 +3062,27 @@ static QSvgNode *createRectNode(QSvgNode *parent, const QStringRef rx = attributes.value(QLatin1String("rx")); const QStringRef ry = attributes.value(QLatin1String("ry")); + bool ok = true; QSvgHandler::LengthType type; - qreal nwidth = parseLength(width, type, handler); + qreal nwidth = parseLength(width, type, handler, &ok); + if (!ok) + return nullptr; nwidth = convertToPixels(nwidth, true, type); - - qreal nheight = parseLength(height, type, handler); + qreal nheight = parseLength(height, type, handler, &ok); + if (!ok) + return nullptr; nheight = convertToPixels(nheight, true, type); qreal nrx = toDouble(rx); qreal nry = toDouble(ry); - QRectF bounds(toDouble(x), toDouble(y), - nwidth, nheight); + QRectF bounds(toDouble(x), toDouble(y), nwidth, nheight); + if (bounds.isEmpty()) + return nullptr; + + if (!rx.isEmpty() && ry.isEmpty()) + nry = nrx; + else if (!ry.isEmpty() && rx.isEmpty()) + nrx = nry; //9.2 The 'rect' element clearly specifies it // but the case might in fact be handled because @@ -3082,11 +3092,6 @@ static QSvgNode *createRectNode(QSvgNode *parent, if (nry > bounds.height()/2) nry = bounds.height()/2; - if (!rx.isEmpty() && ry.isEmpty()) - nry = nrx; - else if (!ry.isEmpty() && rx.isEmpty()) - nrx = nry; - //we draw rounded rect from 0...99 //svg from 0...bounds.width()/2 so we're adjusting the //coordinates |