Avoid buffer overflow in isSupportedSvgFeature

Fixes oss-fuzz issue 29873. Pick-to: 6.0 6.1 Change-Id: I382683aa2d7d3cf2d05a0b8c41ebf21d032fbd7c Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
author: Robert Löhning <robert.loehning@qt.io> 2021-02-17 19:20:42 +0100
committer: Robert Löhning <robert.loehning@qt.io> 2021-02-18 18:57:31 +0000
commit: afde7ca3a40f524e40052df696f74190452b22cb (patch)
tree: 13b25e4bbb20ec669a22d82acf36c5ec7ca95549 /src
parent: 970f33e93a110a2fe5360b0afe9c01786931f6ee (diff)
download: qtsvg-afde7ca3a40f524e40052df696f74190452b22cb.tar.gz
1 files changed, 6 insertions, 2 deletions
diff --git a/src/svg/qsvgstructure.cpp b/src/svg/qsvgstructure.cpp
index b89608b..89c9e4e 100644
--- a/src/svg/qsvgstructure.cpp
+++ b/src/svg/qsvgstructure.cpp
@@ -255,9 +255,13 @@ inline static bool isSupportedSvgFeature(const QString &str)
     };
 
     if (str.length() <= MAX_WORD_LENGTH && str.length() >= MIN_WORD_LENGTH) {
+        const char16_t unicode44 = str.at(44).unicode();
+        const char16_t unicode45 = str.at(45).unicode();
+        if (unicode44 >= sizeof(asso_values) || unicode45 >= sizeof(asso_values))
+            return false;
         const int key = str.length()
-                        + asso_values[str.at(45).unicode()]
-                        + asso_values[str.at(44).unicode()];
+                        + asso_values[unicode45]
+                        + asso_values[unicode44];
         if (key <= MAX_HASH_VALUE && key >= 0)
             return str == QLatin1String(wordlist[key]);
     }
author	Robert Löhning <robert.loehning@qt.io>	2021-02-17 19:20:42 +0100
committer	Robert Löhning <robert.loehning@qt.io>	2021-02-18 18:57:31 +0000
commit	afde7ca3a40f524e40052df696f74190452b22cb (patch)
tree	13b25e4bbb20ec669a22d82acf36c5ec7ca95549 /src
parent	970f33e93a110a2fe5360b0afe9c01786931f6ee (diff)
download	qtsvg-afde7ca3a40f524e40052df696f74190452b22cb.tar.gz