diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-02-28 11:20:27 +0100 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-03-04 09:05:30 +0000 |
commit | 6f152f87dbbd47acc58458d636ce5d1cc181b8fd (patch) | |
tree | 6ddeebfb1078c205cba8a86c315e2e961e1b6b0e /src | |
parent | f354d4be9a7a436fb16bd9764a261c930101850c (diff) | |
download | qtsvg-6f152f87dbbd47acc58458d636ce5d1cc181b8fd.tar.gz |
Fix IRI parsing, and use after free
Make the parsing of IRI references tighter, and avoid freeing
styles when inserting a duplicate id.
Fixes: QTBUG-74104
Change-Id: I3a12fcf09ce1c55c135a4209817413ed8af75dec
Reviewed-by: Robert Loehning <robert.loehning@qt.io>
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
Diffstat (limited to 'src')
-rw-r--r-- | src/svg/qsvghandler.cpp | 14 | ||||
-rw-r--r-- | src/svg/qsvgtinydocument.cpp | 5 |
2 files changed, 16 insertions, 3 deletions
diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp index 463ec01..599ed56 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp @@ -774,21 +774,31 @@ static QVector<qreal> parsePercentageList(const QChar *&str) static QString idFromUrl(const QString &url) { + // The form is url(<IRI>), where IRI can be + // just an ID on #<id> form. QString::const_iterator itr = url.constBegin(); QString::const_iterator end = url.constEnd(); + QString id; while (itr != end && (*itr).isSpace()) ++itr; if (itr != end && (*itr) == QLatin1Char('(')) ++itr; + else + return QString(); while (itr != end && (*itr).isSpace()) ++itr; - if (itr != end && (*itr) == QLatin1Char('#')) + if (itr != end && (*itr) == QLatin1Char('#')) { + id += *itr; ++itr; - QString id; + } else { + return QString(); + } while (itr != end && (*itr) != QLatin1Char(')')) { id += *itr; ++itr; } + if (itr == end || (*itr) != QLatin1Char(')')) + return QString(); return id; } diff --git a/src/svg/qsvgtinydocument.cpp b/src/svg/qsvgtinydocument.cpp index 813395f..da464cc 100644 --- a/src/svg/qsvgtinydocument.cpp +++ b/src/svg/qsvgtinydocument.cpp @@ -363,7 +363,10 @@ QSvgNode *QSvgTinyDocument::namedNode(const QString &id) const void QSvgTinyDocument::addNamedStyle(const QString &id, QSvgFillStyleProperty *style) { - m_namedStyles.insert(id, style); + if (!m_namedStyles.contains(id)) + m_namedStyles.insert(id, style); + else + qCWarning(lcSvgHandler) << "Duplicate unique style id:" << id; } QSvgFillStyleProperty *QSvgTinyDocument::namedStyle(const QString &id) const |