Avoid undefined behavior when painter transform goes oob

With some broken input files, we can end up with a matrix
that scales or translates so far that it ends up with
NaNs or Infs. This causes undefined behavior later when
doing comparisons. We protect against this by checking
for matrix validity after transforming and resetting the
matrix if it becomes invalid.

Pick-to: 5.15 6.2 6.3 6.4
Fixes: QTBUG-101698
Change-Id: Iabc745c1e7a0c36449f14c4c6d9bc8066eaa8eac
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>

1 files changed, 11 insertions, 0 deletions

diff --git a/src/svg/qsvgtinydocument.cpp b/src/svg/qsvgtinydocument.cpp
index f6dacd8..49a796c 100644
--- a/src/svg/qsvgtinydocument.cpp
+++ b/src/svg/qsvgtinydocument.cpp
@@ -397,8 +397,16 @@ void QSvgTinyDocument::draw(QPainter *p, QSvgExtraStates &)
     draw(p);
 }
 
+static bool isValidMatrix(const QTransform &transform)
+{
+    qreal determinant = transform.determinant();
+    return qIsFinite(determinant);
+}
+
 void QSvgTinyDocument::mapSourceToTarget(QPainter *p, const QRectF &targetRect, const QRectF &sourceRect)
 {
+    QTransform oldTransform = p->worldTransform();
+
     QRectF target = targetRect;
     if (target.isEmpty()) {
         QPaintDevice *dev = p->device();
@@ -447,6 +455,9 @@ void QSvgTinyDocument::mapSourceToTarget(QPainter *p, const QRectF &targetRect,
             p->translate(-source.x(), -source.y());
         }
     }
+
+    if (!isValidMatrix(p->worldTransform()))
+        p->setWorldTransform(oldTransform);
 }
 
 QRectF QSvgTinyDocument::boundsOnElement(const QString &id) const