Fix stack overflow in QSvgHandler::resolveGradients

Add a maximum to how deep it will nest.

Fixes oss-fuzz 23643

Change-Id: I6183c04f65a539a6c7df42bc7346a86ee58aca6c
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
(cherry picked from commit 6b86b5de893e9885f8288af5a096444b30fa2628)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>

1 files changed, 6 insertions, 4 deletions

diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
index fc1f7d3..7205cda 100644
--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -3861,16 +3861,17 @@ bool QSvgHandler::endElement(const QStringRef &localName)
     return true;
 }
 
-void QSvgHandler::resolveGradients(QSvgNode *node)
+void QSvgHandler::resolveGradients(QSvgNode *node, int nestedDepth)
 {
     if (!node || (node->type() != QSvgNode::DOC && node->type() != QSvgNode::G
         && node->type() != QSvgNode::DEFS && node->type() != QSvgNode::SWITCH)) {
         return;
     }
+
     QSvgStructureNode *structureNode = static_cast<QSvgStructureNode *>(node);
 
-    QList<QSvgNode *> ren = structureNode->renderers();
-    for (QList<QSvgNode *>::iterator it = ren.begin(); it != ren.end(); ++it) {
+    const QList<QSvgNode *> ren = structureNode->renderers();
+    for (auto it = ren.begin(); it != ren.end(); ++it) {
         QSvgFillStyle *fill = static_cast<QSvgFillStyle *>((*it)->styleProperty(QSvgStyleProperty::FILL));
         if (fill && !fill->isGradientResolved()) {
             QString id = fill->gradientId();
@@ -3895,7 +3896,8 @@ void QSvgHandler::resolveGradients(QSvgNode *node)
             }
         }
 
-        resolveGradients(*it);
+        if (nestedDepth < 2048)
+            resolveGradients(*it, nestedDepth + 1);
     }
 }