diff options
author | Robert Löhning <robert.loehning@qt.io> | 2021-02-17 19:20:42 +0100 |
---|---|---|
committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2021-02-18 19:24:07 +0000 |
commit | 117f4f34c6162eb8ac749569a5fff604713a3eba (patch) | |
tree | da08efad39f7ea07efe056c55ebda52509c62856 | |
parent | 7a4054b7ae3fbe147f19f89b8c41a20031d89638 (diff) | |
download | qtsvg-117f4f34c6162eb8ac749569a5fff604713a3eba.tar.gz |
Avoid buffer overflow in isSupportedSvgFeature
Fixes oss-fuzz issue 29873.
Change-Id: I382683aa2d7d3cf2d05a0b8c41ebf21d032fbd7c
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
(cherry picked from commit afde7ca3a40f524e40052df696f74190452b22cb)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
-rw-r--r-- | src/svg/qsvgstructure.cpp | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/src/svg/qsvgstructure.cpp b/src/svg/qsvgstructure.cpp index b89608b..89c9e4e 100644 --- a/src/svg/qsvgstructure.cpp +++ b/src/svg/qsvgstructure.cpp @@ -255,9 +255,13 @@ inline static bool isSupportedSvgFeature(const QString &str) }; if (str.length() <= MAX_WORD_LENGTH && str.length() >= MIN_WORD_LENGTH) { + const char16_t unicode44 = str.at(44).unicode(); + const char16_t unicode45 = str.at(45).unicode(); + if (unicode44 >= sizeof(asso_values) || unicode45 >= sizeof(asso_values)) + return false; const int key = str.length() - + asso_values[str.at(45).unicode()] - + asso_values[str.at(44).unicode()]; + + asso_values[unicode45] + + asso_values[unicode44]; if (key <= MAX_HASH_VALUE && key >= 0) return str == QLatin1String(wordlist[key]); } |