diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2020-06-22 13:46:39 +0200 |
|---|---|---|
| committer | Volker Hilsheimer <volker.hilsheimer@qt.io> | 2020-06-22 14:01:24 +0000 |
| commit | 78cbbc1aa3a4802b2eeec8b5abfe196e05df1b16 (patch) | |
| tree | 1b03d9f4bccf861177755119cae94115686e761a /src | |
| parent | 68fe732757ec2f3ee970fbeb08b9fe1efd1c70d3 (diff) | |
| download | qtsvg-78cbbc1aa3a4802b2eeec8b5abfe196e05df1b16.tar.gz | |
Handle empty rects
Avoids a division by zero, also we don't appear to support auto sizes,
so width and height are required attributes.
Fixes oss-fuzz issue 23588.
Pick-to: 5.15 5.12
Change-Id: Ib3474c2ed4409977f6ffcf73088956c6c59ce4ad
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
Reviewed-by: Robert Loehning <robert.loehning@qt.io>
Diffstat (limited to 'src')
| -rw-r--r-- | src/svg/qsvghandler.cpp | 25 |
1 files changed, 15 insertions, 10 deletions
diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp index 4ba9fcc..ccf0ae6 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp @@ -3062,17 +3062,27 @@ static QSvgNode *createRectNode(QSvgNode *parent, const QStringRef rx = attributes.value(QLatin1String("rx")); const QStringRef ry = attributes.value(QLatin1String("ry")); + bool ok = true; QSvgHandler::LengthType type; - qreal nwidth = parseLength(width, type, handler); + qreal nwidth = parseLength(width, type, handler, &ok); + if (!ok) + return nullptr; nwidth = convertToPixels(nwidth, true, type); - - qreal nheight = parseLength(height, type, handler); + qreal nheight = parseLength(height, type, handler, &ok); + if (!ok) + return nullptr; nheight = convertToPixels(nheight, true, type); qreal nrx = toDouble(rx); qreal nry = toDouble(ry); - QRectF bounds(toDouble(x), toDouble(y), - nwidth, nheight); + QRectF bounds(toDouble(x), toDouble(y), nwidth, nheight); + if (bounds.isEmpty()) + return nullptr; + + if (!rx.isEmpty() && ry.isEmpty()) + nry = nrx; + else if (!ry.isEmpty() && rx.isEmpty()) + nrx = nry; //9.2 The 'rect' element clearly specifies it // but the case might in fact be handled because @@ -3082,11 +3092,6 @@ static QSvgNode *createRectNode(QSvgNode *parent, if (nry > bounds.height()/2) nry = bounds.height()/2; - if (!rx.isEmpty() && ry.isEmpty()) - nry = nrx; - else if (!ry.isEmpty() && rx.isEmpty()) - nrx = nry; - //we draw rounded rect from 0...99 //svg from 0...bounds.width()/2 so we're adjusting the //coordinates |