diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2020-06-23 17:47:03 +0200 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2020-06-23 19:07:03 +0200 |
| commit | 9a0d4ff631003a84205c61bd7a6ef843207f1675 (patch) | |
| tree | e4f3da8a50bc56a1f4eae5e7181cde96afed6355 /src | |
| parent | 6b86b5de893e9885f8288af5a096444b30fa2628 (diff) | |
| download | qtsvg-9a0d4ff631003a84205c61bd7a6ef843207f1675.tar.gz | |
Add error handling to color parsing
Also fixes undefined shift of negative values.
Fixes oss-fuzz 23644
Pick-to: 5.15 5.12
Change-Id: I08c998ebf2217cb8dc50fcb805603e01e67ad64b
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
Diffstat (limited to 'src')
| -rw-r--r-- | src/svg/qsvghandler.cpp | 41 |
1 files changed, 22 insertions, 19 deletions
diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp index 472b65a..3d997f1 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp @@ -105,7 +105,7 @@ static inline QByteArray msgCouldNotResolveProperty(const QString &id, const QXm // ======== duplicated from qcolor_p -static inline int qsvg_h2i(char hex) +static inline int qsvg_h2i(char hex, bool *ok = nullptr) { if (hex >= '0' && hex <= '9') return hex - '0'; @@ -113,18 +113,20 @@ static inline int qsvg_h2i(char hex) return hex - 'a' + 10; if (hex >= 'A' && hex <= 'F') return hex - 'A' + 10; + if (ok) + *ok = false; return -1; } -static inline int qsvg_hex2int(const char *s) +static inline int qsvg_hex2int(const char *s, bool *ok = nullptr) { - return (qsvg_h2i(s[0]) << 4) | qsvg_h2i(s[1]); + return (qsvg_h2i(s[0], ok) * 16) | qsvg_h2i(s[1], ok); } -static inline int qsvg_hex2int(char s) +static inline int qsvg_hex2int(char s, bool *ok = nullptr) { - int h = qsvg_h2i(s); - return (h << 4) | h; + int h = qsvg_h2i(s, ok); + return (h * 16) | h; } bool qsvg_get_hex_rgb(const char *name, QRgb *rgb) @@ -134,26 +136,27 @@ bool qsvg_get_hex_rgb(const char *name, QRgb *rgb) name++; int len = qstrlen(name); int r, g, b; + bool ok = true; if (len == 12) { - r = qsvg_hex2int(name); - g = qsvg_hex2int(name + 4); - b = qsvg_hex2int(name + 8); + r = qsvg_hex2int(name, &ok); + g = qsvg_hex2int(name + 4, &ok); + b = qsvg_hex2int(name + 8, &ok); } else if (len == 9) { - r = qsvg_hex2int(name); - g = qsvg_hex2int(name + 3); - b = qsvg_hex2int(name + 6); + r = qsvg_hex2int(name, &ok); + g = qsvg_hex2int(name + 3, &ok); + b = qsvg_hex2int(name + 6, &ok); } else if (len == 6) { - r = qsvg_hex2int(name); - g = qsvg_hex2int(name + 2); - b = qsvg_hex2int(name + 4); + r = qsvg_hex2int(name, &ok); + g = qsvg_hex2int(name + 2, &ok); + b = qsvg_hex2int(name + 4, &ok); } else if (len == 3) { - r = qsvg_hex2int(name[0]); - g = qsvg_hex2int(name[1]); - b = qsvg_hex2int(name[2]); + r = qsvg_hex2int(name[0], &ok); + g = qsvg_hex2int(name[1], &ok); + b = qsvg_hex2int(name[2], &ok); } else { r = g = b = -1; } - if ((uint)r > 255 || (uint)g > 255 || (uint)b > 255) { + if ((uint)r > 255 || (uint)g > 255 || (uint)b > 255 || !ok) { *rgb = 0; return false; } |