diff options
author | Robert Loehning <robert.loehning@qt.io> | 2020-07-13 20:53:11 +0200 |
---|---|---|
committer | Robert Loehning <robert.loehning@qt.io> | 2020-07-15 11:54:22 +0200 |
commit | 2fc2cb44b275c7c18c2db262eec443eb198b9cc6 (patch) | |
tree | 3c1e5fc9264160521a426beef3a2cb40b944301c /src | |
parent | 810c735949bbb29a1669d7d3f4010bcc05c7021b (diff) | |
download | qtsvg-2fc2cb44b275c7c18c2db262eec443eb198b9cc6.tar.gz |
Fix stack overflow in dtor of QSvgTinyDocument
Add a maximum to how many unfinished
elements will be parsed by QSvgHandler.
Fixes: oss-fuzz-24000
Pick-to: 5.15 5.12
Change-Id: I4cea0500d2bc503d2c509d091300dd1117170299
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
Diffstat (limited to 'src')
-rw-r--r-- | src/svg/qsvghandler.cpp | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp index e65c063..6f3216b 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp @@ -3599,6 +3599,10 @@ void QSvgHandler::init() parse(); } +// Having too many unfinished elements will cause a stack overflow +// in the dtor of QSvgTinyDocument, see oss-fuzz issue 24000. +static const int unfinishedElementsLimit = 2048; + void QSvgHandler::parse() { xml->setNamespaceProcessing(false); @@ -3607,6 +3611,7 @@ void QSvgHandler::parse() m_inStyle = false; #endif bool done = false; + int remainingUnfinishedElements = unfinishedElementsLimit; while (!xml->atEnd() && !done) { switch (xml->readNext()) { case QXmlStreamReader::StartElement: @@ -3618,7 +3623,10 @@ void QSvgHandler::parse() // namespaceUri is empty. The only possible strategy at // this point is to do what everyone else seems to do and // ignore the reported namespaceUri completely. - if (!startElement(xml->name().toString(), xml->attributes())) { + if (remainingUnfinishedElements + && startElement(xml->name().toString(), xml->attributes())) { + --remainingUnfinishedElements; + } else { delete m_doc; m_doc = 0; return; @@ -3626,6 +3634,7 @@ void QSvgHandler::parse() break; case QXmlStreamReader::EndElement: endElement(xml->name()); + ++remainingUnfinishedElements; // if we are using somebody else's qxmlstreamreader // we should not read until the end of the stream done = !m_ownsReader && (xml->name() == QLatin1String("svg")); |