Fix oom in QSvgTinyDocument::load

Avoid overflowing the size integer. Fixes ozz-fuzz 23606 Pick-to: 5.15 5.12 Change-Id: Iaae2c1e78e59737bba0e34791de4a3a92677f319 Reviewed-by: Robert Loehning <robert.loehning@qt.io> Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2020-06-23 11:24:47 +0200
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2020-06-23 15:08:30 +0200
commit: 99a86c1bc347092d76f1288d901b30643b8eea6c (patch)
tree: cb839cb0d8f80ed9914a45cd7e327b5941d508cc
parent: c6092c964046fbe531f04b67a87c8fae8628ad0d (diff)
download: qtsvg-99a86c1bc347092d76f1288d901b30643b8eea6c.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/src/svg/qsvgtinydocument.cpp b/src/svg/qsvgtinydocument.cpp
index 9e5da82..295f535 100644
--- a/src/svg/qsvgtinydocument.cpp
+++ b/src/svg/qsvgtinydocument.cpp
@@ -127,6 +127,12 @@ QByteArray qt_inflateGZipDataFrom(QIODevice *device)
         do {
             // Prepare the destination buffer
             int oldSize = destination.size();
+            if (oldSize > INT_MAX - CHUNK_SIZE) {
+                inflateEnd(&zlibStream);
+                qCWarning(lcSvgHandler, "Error while inflating gzip file: integer size overflow");
+                return destination;
+            }
+
             destination.resize(oldSize + CHUNK_SIZE);
             zlibStream.next_out = reinterpret_cast<Bytef*>(
                     destination.data() + oldSize - zlibStream.avail_out);
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2020-06-23 11:24:47 +0200
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2020-06-23 15:08:30 +0200
commit	99a86c1bc347092d76f1288d901b30643b8eea6c (patch)
tree	cb839cb0d8f80ed9914a45cd7e327b5941d508cc
parent	c6092c964046fbe531f04b67a87c8fae8628ad0d (diff)
download	qtsvg-99a86c1bc347092d76f1288d901b30643b8eea6c.tar.gz