diff options
author | Robert Loehning <robert.loehning@qt.io> | 2020-07-20 19:07:11 +0200 |
---|---|---|
committer | Robert Loehning <robert.loehning@qt.io> | 2020-07-29 16:00:06 +0000 |
commit | 8368111c76471a7415c29ba293848003fca2a4af (patch) | |
tree | 04861cea02d8e41ee88f519a8ac86932b873a5c9 /src | |
parent | 9427f863d9cb478f98a1cff9af62806cdb899399 (diff) | |
download | qtsvg-8368111c76471a7415c29ba293848003fca2a4af.tar.gz |
Avoid endless recursion when inflating gzip
Fixes: oss-fuzz-24146
Pick-to: 5.12 5.15
Change-Id: I52a974e6a0694fb4afb50d932b2e99917c3034b2
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/svg/qsvgtinydocument.cpp | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/src/svg/qsvgtinydocument.cpp b/src/svg/qsvgtinydocument.cpp index 0cbea1d..b1bde78 100644 --- a/src/svg/qsvgtinydocument.cpp +++ b/src/svg/qsvgtinydocument.cpp @@ -147,8 +147,7 @@ QByteArray qt_inflateGZipDataFrom(QIODevice *device) inflateEnd(&zlibStream); qCWarning(lcSvgHandler, "Error while inflating gzip file: %s", (zlibStream.msg != NULL ? zlibStream.msg : "Unknown error")); - destination.chop(zlibStream.avail_out); - return destination; + return QByteArray(); } } @@ -206,7 +205,10 @@ QSvgTinyDocument * QSvgTinyDocument::load(const QByteArray &contents) // Check for gzip magic number and inflate if appropriate if (contents.startsWith("\x1f\x8b")) { QBuffer buffer(const_cast<QByteArray *>(&contents)); - return load(qt_inflateGZipDataFrom(&buffer)); + const QByteArray inflated = qt_inflateGZipDataFrom(&buffer); + if (inflated.isNull()) + return nullptr; + return load(inflated); } #endif |