diff options
| author | Joerg Bornemann <joerg.bornemann@digia.com> | 2014-10-01 18:55:15 +0200 |
|---|---|---|
| committer | Joerg Bornemann <joerg.bornemann@digia.com> | 2014-10-06 10:08:53 +0200 |
| commit | 3167c1374bb918033b5b4a5b54e0d0608698eeb0 (patch) | |
| tree | b962f756617b32e93b37e371166b97bc5a05b7a7 | |
| parent | 56440366c661babc6316d9491a82ae1dfe6308f9 (diff) | |
| download | qtsvg-3167c1374bb918033b5b4a5b54e0d0608698eeb0.tar.gz | |
fix crash on malformed SVG5.3
In a gradient that references itself via xlink:href we encountered
an infinite recursion, and eventually a stack overflow.
Now we print a warning and ignore the invalid link.
Task-number: QTBUG-35387
Change-Id: Id72800eaa267d015a471df284245861ed8bc94cd
Reviewed-by: Friedemann Kleint <Friedemann.Kleint@digia.com>
| -rw-r--r-- | src/svg/qsvgstyle.cpp | 2 | ||||
| -rw-r--r-- | tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp | 9 |
2 files changed, 10 insertions, 1 deletions
diff --git a/src/svg/qsvgstyle.cpp b/src/svg/qsvgstyle.cpp index 4385291..662692b 100644 --- a/src/svg/qsvgstyle.cpp +++ b/src/svg/qsvgstyle.cpp @@ -937,7 +937,7 @@ void QSvgGradientStyle::resolveStops() { if (!m_link.isEmpty() && m_doc) { QSvgStyleProperty *prop = m_doc->styleProperty(m_link); - if (prop) { + if (prop && prop != this) { if (prop->type() == QSvgStyleProperty::GRADIENT) { QSvgGradientStyle *st = static_cast<QSvgGradientStyle*>(prop); diff --git a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp index 2aa2225..8487d54 100644 --- a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp +++ b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp @@ -620,6 +620,15 @@ void tst_QSvgRenderer::gradientRefs() "<linearGradient id=\"gradient\" xlink:href=\"#gradient0\">" "</linearGradient>" "</defs>" + "</svg>", + "<svg>" + "<defs>" + "<linearGradient xlink:href=\"#0\" id=\"0\">" + "<stop offset=\"0\" stop-color=\"red\" stop-opacity=\"0\"/>" + "<stop offset=\"1\" stop-color=\"blue\"/>" + "</linearGradient>" + "</defs>" + "<rect fill=\"url(#0)\" height=\"8\" width=\"256\" x=\"0\" y=\"0\"/>" "</svg>" }; for (size_t i = 0 ; i < sizeof(svgs) / sizeof(svgs[0]) ; ++i) |