diff options
author | Robert Löhning <robert.loehning@qt.io> | 2021-02-17 19:20:42 +0100 |
---|---|---|
committer | Robert Löhning <robert.loehning@qt.io> | 2021-02-18 18:57:31 +0000 |
commit | afde7ca3a40f524e40052df696f74190452b22cb (patch) | |
tree | 13b25e4bbb20ec669a22d82acf36c5ec7ca95549 /src/svg | |
parent | 970f33e93a110a2fe5360b0afe9c01786931f6ee (diff) | |
download | qtsvg-afde7ca3a40f524e40052df696f74190452b22cb.tar.gz |
Avoid buffer overflow in isSupportedSvgFeature
Fixes oss-fuzz issue 29873.
Pick-to: 6.0 6.1
Change-Id: I382683aa2d7d3cf2d05a0b8c41ebf21d032fbd7c
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
Diffstat (limited to 'src/svg')
-rw-r--r-- | src/svg/qsvgstructure.cpp | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/src/svg/qsvgstructure.cpp b/src/svg/qsvgstructure.cpp index b89608b..89c9e4e 100644 --- a/src/svg/qsvgstructure.cpp +++ b/src/svg/qsvgstructure.cpp @@ -255,9 +255,13 @@ inline static bool isSupportedSvgFeature(const QString &str) }; if (str.length() <= MAX_WORD_LENGTH && str.length() >= MIN_WORD_LENGTH) { + const char16_t unicode44 = str.at(44).unicode(); + const char16_t unicode45 = str.at(45).unicode(); + if (unicode44 >= sizeof(asso_values) || unicode45 >= sizeof(asso_values)) + return false; const int key = str.length() - + asso_values[str.at(45).unicode()] - + asso_values[str.at(44).unicode()]; + + asso_values[unicode45] + + asso_values[unicode44]; if (key <= MAX_HASH_VALUE && key >= 0) return str == QLatin1String(wordlist[key]); } |