SVG Image reading: Reject oversize svgs as corrupt

Add an upper limit for height and width at 0xffff, same as jpeg. Fixes: QTBUG-95891 Change-Id: I0dbc80dab3aab9b4743548772fb63fa69ea21f8a Reviewed-by: Robert Löhning <robert.loehning@qt.io> Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> (cherry picked from commit e544d8e457d52b543cae5c988f81237c7d6608da) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
author: Eirik Aavitsland <eirik.aavitsland@qt.io> 2021-10-25 14:43:09 +0200
committer: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> 2021-11-08 15:20:13 +0000
commit: 124536b7d40c3fbfe2f827ef8ca5410c399142d7 (patch)
tree: 12bb6488f140d90fae8e7b1c45252176e343c65f
parent: 2e00eaa330a988ec62b252c5e61b9562d7961863 (diff)
download: qtsvg-124536b7d40c3fbfe2f827ef8ca5410c399142d7.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/src/plugins/imageformats/svg/qsvgiohandler.cpp b/src/plugins/imageformats/svg/qsvgiohandler.cpp
index 3e338b3..309e892 100644
--- a/src/plugins/imageformats/svg/qsvgiohandler.cpp
+++ b/src/plugins/imageformats/svg/qsvgiohandler.cpp
@@ -184,6 +184,8 @@ bool QSvgIOHandler::read(QImage *image)
         if (finalSize.isEmpty()) {
             *image = QImage();
         } else {
+            if (qMax(finalSize.width(), finalSize.height()) > 0xffff)
+                return false; // Assume corrupted file
             if (!QImageIOHandler::allocateImage(finalSize, QImage::Format_ARGB32_Premultiplied, image))
                 return false;
             image->fill(d->backColor.rgba());
author	Eirik Aavitsland <eirik.aavitsland@qt.io>	2021-10-25 14:43:09 +0200
committer	Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>	2021-11-08 15:20:13 +0000
commit	124536b7d40c3fbfe2f827ef8ca5410c399142d7 (patch)
tree	12bb6488f140d90fae8e7b1c45252176e343c65f
parent	2e00eaa330a988ec62b252c5e61b9562d7961863 (diff)
download	qtsvg-124536b7d40c3fbfe2f827ef8ca5410c399142d7.tar.gz