diff options
| -rw-r--r-- | src/svg/qsvghandler.cpp | 2 | ||||
| -rw-r--r-- | tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp | 18 |
2 files changed, 20 insertions, 0 deletions
diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp index 677dc97..e88e83b 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp @@ -2465,6 +2465,8 @@ static bool parseAnimateTransformNode(QSvgNode *parent, ++s; } } + if (vals.count() % 3 != 0) + return false; bool ok = true; int begin = parseClockValue(beginStr, &ok); diff --git a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp index 78c87eb..7e4a5ae 100644 --- a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp +++ b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp @@ -62,6 +62,8 @@ private slots: void oss_fuzz_24131(); void oss_fuzz_24738(); void imageRendering(); + void illegalAnimateTransform_data(); + void illegalAnimateTransform(); #ifndef QT_NO_COMPRESS void testGzLoading(); @@ -1677,6 +1679,22 @@ void tst_QSvgRenderer::imageRendering() { } } +void tst_QSvgRenderer::illegalAnimateTransform_data() +{ + QTest::addColumn<QByteArray>("svg"); + + QTest::newRow("case1") << QByteArray("<svg><animateTransform type=\"rotate\" begin=\"1\" dur=\"2\" values=\"8,0,5,0\">"); + QTest::newRow("case2") << QByteArray("<svg><animateTransform type=\"rotate\" begin=\"1\" dur=\"2\" values=\"1,2\">"); + QTest::newRow("case3") << QByteArray("<svg><animateTransform type=\"rotate\" begin=\"1\" dur=\"2\" from=\".. 5 2\" to=\"f\">"); + QTest::newRow("case4") << QByteArray("<svg><animateTransform type=\"scale\" begin=\"1\" dur=\"2\" by=\"--,..\">"); +} + +void tst_QSvgRenderer::illegalAnimateTransform() +{ + QFETCH(QByteArray, svg); + QSvgRenderer renderer; + QVERIFY(!renderer.load(svg)); // also shouldn't assert +} QTEST_MAIN(tst_QSvgRenderer) #include "tst_qsvgrenderer.moc" |