From 15f74a0f8a41759e1216d52d53852c05c9299107 Mon Sep 17 00:00:00 2001
From: Eirik Aavitsland <eirik.aavitsland@qt.io>
Date: Mon, 1 Apr 2019 14:17:11 +0200
Subject: Fix crash for recursive gradient references

A reference loop with at least three elements would lead to endless
recursion.

Fixes: QTBUG-74189
Change-Id: Ie3c1b32da0e98e9218dc387dd3210666018a92e1
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 src/svg/qsvgstyle.cpp                        | 11 ++++++--
 src/svg/qsvgstyle_p.h                        |  1 +
 tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp | 39 ++++++++++++++++++++++++++++
 3 files changed, 49 insertions(+), 2 deletions(-)

diff --git a/src/svg/qsvgstyle.cpp b/src/svg/qsvgstyle.cpp
index 5448797..b934f94 100644
--- a/src/svg/qsvgstyle.cpp
+++ b/src/svg/qsvgstyle.cpp
@@ -941,14 +941,21 @@ void QSvgGradientStyle::setStopLink(const QString &link, QSvgTinyDocument *doc)
 }
 
 void QSvgGradientStyle::resolveStops()
+{
+    QStringList visited;
+    resolveStops_helper(&visited);
+}
+
+void QSvgGradientStyle::resolveStops_helper(QStringList *visited)
 {
     if (!m_link.isEmpty() && m_doc) {
         QSvgStyleProperty *prop = m_doc->styleProperty(m_link);
-        if (prop && prop != this) {
+        if (prop && !visited->contains(m_link)) {
+            visited->append(m_link);
             if (prop->type() == QSvgStyleProperty::GRADIENT) {
                 QSvgGradientStyle *st =
                     static_cast<QSvgGradientStyle*>(prop);
-                st->resolveStops();
+                st->resolveStops_helper(visited);
                 m_gradient->setStops(st->qgradient()->stops());
                 m_gradientStopsSet = st->gradientStopsSet();
             }
diff --git a/src/svg/qsvgstyle_p.h b/src/svg/qsvgstyle_p.h
index 916c9fa..39aa690 100644
--- a/src/svg/qsvgstyle_p.h
+++ b/src/svg/qsvgstyle_p.h
@@ -577,6 +577,7 @@ public:
     void setStopLink(const QString &link, QSvgTinyDocument *doc);
     QString stopLink() const { return m_link; }
     void resolveStops();
+    void resolveStops_helper(QStringList *visited);
 
     void setMatrix(const QMatrix &matrix);
     QMatrix  qmatrix() const
diff --git a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
index 5b359b9..aa28ca9 100644
--- a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
+++ b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
@@ -67,6 +67,8 @@ private slots:
     void boundsOnElement() const;
     void gradientStops() const;
     void gradientRefs();
+    void recursiveRefs_data();
+    void recursiveRefs();
     void fillRule();
     void opacity();
     void paths();
@@ -674,6 +676,43 @@ void tst_QSvgRenderer::gradientRefs()
     }
 }
 
+void tst_QSvgRenderer::recursiveRefs_data()
+{
+    QTest::addColumn<QByteArray>("svg");
+
+    QTest::newRow("single") << QByteArray("<svg>"
+                                          "<linearGradient id='0' xlink:href='#0'/>"
+                                          "<rect x='0' y='0' width='20' height='20' fill='url(#0)'/>"
+                                          "</svg>");
+
+    QTest::newRow("double") << QByteArray("<svg>"
+                                          "<linearGradient id='0' xlink:href='#1'/>"
+                                          "<linearGradient id='1' xlink:href='#0'/>"
+                                          "<rect x='0' y='0' width='20' height='20' fill='url(#0)'/>"
+                                          "</svg>");
+
+    QTest::newRow("triple") << QByteArray("<svg>"
+                                          "<linearGradient id='0' xlink:href='#1'/>"
+                                          "<linearGradient id='1' xlink:href='#2'/>"
+                                          "<linearGradient id='2' xlink:href='#0'/>"
+                                          "<rect x='0' y='0' width='20' height='20' fill='url(#0)'/>"
+                                          "</svg>");
+}
+
+void tst_QSvgRenderer::recursiveRefs()
+{
+    QFETCH(QByteArray, svg);
+
+    QImage image(20, 20, QImage::Format_ARGB32_Premultiplied);
+    image.fill(Qt::green);
+    QImage refImage = image.copy();
+
+    QSvgRenderer renderer(svg);
+    QPainter painter(&image);
+    renderer.render(&painter);
+    QCOMPARE(image, refImage);
+}
+
 
 #ifndef QT_NO_COMPRESS
 void tst_QSvgRenderer::testGzLoading()
-- 
cgit v1.2.1