summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEirik Aavitsland <eirik.aavitsland@qt.io>2018-07-09 10:45:22 +0200
committerEirik Aavitsland <eirik.aavitsland@qt.io>2018-08-07 08:02:47 +0000
commit97eebc52a8362f8b841e24ad0e4d54315d1948e3 (patch)
tree4071e8f4893d39d86d19794f0e7a4417feec5d34
parent2e45d744502ebc77f8c6ed5ae14333e127320b3f (diff)
downloadqtsvg-97eebc52a8362f8b841e24ad0e4d54315d1948e3.tar.gz
Fix crash when parsing malformed url reference
The parsing did not check for end of input. Change-Id: I56a478877d242146395977b767511425d2b8ced1 Reviewed-by: Lars Knoll <lars.knoll@qt.io> (cherry picked from commit 8c199714e9bc638fb3f6ec747fb7a23373e49335)
-rw-r--r--src/svg/qsvghandler.cpp11
-rw-r--r--tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp26
2 files changed, 32 insertions, 5 deletions
diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
index 4366e40..45463ec 100644
--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -774,16 +774,17 @@ static QVector<qreal> parsePercentageList(const QChar *&str)
static QString idFromUrl(const QString &url)
{
QString::const_iterator itr = url.constBegin();
- while ((*itr).isSpace())
+ QString::const_iterator end = url.constEnd();
+ while (itr != end && (*itr).isSpace())
++itr;
- if ((*itr) == QLatin1Char('('))
+ if (itr != end && (*itr) == QLatin1Char('('))
++itr;
- while ((*itr).isSpace())
+ while (itr != end && (*itr).isSpace())
++itr;
- if ((*itr) == QLatin1Char('#'))
+ if (itr != end && (*itr) == QLatin1Char('#'))
++itr;
QString id;
- while ((*itr) != QLatin1Char(')')) {
+ while (itr != end && (*itr) != QLatin1Char(')')) {
id += *itr;
++itr;
}
diff --git a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
index fd1b350..9ab93bd 100644
--- a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
+++ b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
@@ -54,6 +54,8 @@ private slots:
void getSetCheck();
void inexistentUrl();
void emptyUrl();
+ void invalidUrl_data();
+ void invalidUrl();
void testStrokeWidth();
void testMapViewBoxToTarget();
void testRenderElement();
@@ -132,6 +134,30 @@ void tst_QSvgRenderer::emptyUrl()
QVERIFY(renderer.isValid());
}
+void tst_QSvgRenderer::invalidUrl_data()
+{
+ QTest::addColumn<QByteArray>("svg");
+
+ QTest::newRow("00") << QByteArray("<svg><circle fill=\"url\" /></svg>");
+ QTest::newRow("01") << QByteArray("<svg><circle fill=\"url0\" /></svg>");
+ QTest::newRow("02") << QByteArray("<svg><circle fill=\"url(0\" /></svg>");
+ QTest::newRow("03") << QByteArray("<svg><circle fill=\"url (0\" /></svg>");
+ QTest::newRow("04") << QByteArray("<svg><circle fill=\"url ( 0\" /></svg>");
+ QTest::newRow("05") << QByteArray("<svg><circle fill=\"url#\" /></svg>");
+ QTest::newRow("06") << QByteArray("<svg><circle fill=\"url#(\" /></svg>");
+ QTest::newRow("07") << QByteArray("<svg><circle fill=\"url(#\" /></svg>");
+ QTest::newRow("08") << QByteArray("<svg><circle fill=\"url(# \" /></svg>");
+ QTest::newRow("09") << QByteArray("<svg><circle fill=\"url(# 0\" /></svg>");
+}
+
+void tst_QSvgRenderer::invalidUrl()
+{
+ QFETCH(QByteArray, svg);
+
+ QSvgRenderer renderer(svg);
+ QVERIFY(renderer.isValid());
+}
+
void tst_QSvgRenderer::testStrokeWidth()
{
qreal squareSize = 30.0;