diff options
| author | Robert Löhning <robert.loehning@qt.io> | 2021-02-17 19:20:42 +0100 |
|---|---|---|
| committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2021-02-18 19:24:07 +0000 |
| commit | fc1a706440a33c792da08aa0f4b3ed2e0057e349 (patch) | |
| tree | 4990404d1e764ba4e28fcf728bb695885e3e86a9 | |
| parent | d3241a766351885b448b6a709a552f67f61863db (diff) | |
| download | qtsvg-fc1a706440a33c792da08aa0f4b3ed2e0057e349.tar.gz | |
Avoid buffer overflow in isSupportedSvgFeature
Fixes oss-fuzz issue 29873.
Change-Id: I382683aa2d7d3cf2d05a0b8c41ebf21d032fbd7c
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
(cherry picked from commit afde7ca3a40f524e40052df696f74190452b22cb)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
| -rw-r--r-- | src/svg/qsvgstructure.cpp | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/src/svg/qsvgstructure.cpp b/src/svg/qsvgstructure.cpp index b89608b..89c9e4e 100644 --- a/src/svg/qsvgstructure.cpp +++ b/src/svg/qsvgstructure.cpp @@ -255,9 +255,13 @@ inline static bool isSupportedSvgFeature(const QString &str) }; if (str.length() <= MAX_WORD_LENGTH && str.length() >= MIN_WORD_LENGTH) { + const char16_t unicode44 = str.at(44).unicode(); + const char16_t unicode45 = str.at(45).unicode(); + if (unicode44 >= sizeof(asso_values) || unicode45 >= sizeof(asso_values)) + return false; const int key = str.length() - + asso_values[str.at(45).unicode()] - + asso_values[str.at(44).unicode()]; + + asso_values[unicode45] + + asso_values[unicode44]; if (key <= MAX_HASH_VALUE && key >= 0) return str == QLatin1String(wordlist[key]); } |