From 45530ad4c5c6d3e90fe6d5a63f3bb551f37ad917 Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Thu, 20 Feb 2020 12:37:21 +0100
Subject: Restrict nested use nodes processed

To avoid exponential blow up, limit the number of use nodes processed
under a certain depth. This should still allow the common use of many
shallow uses, but limit anything dangerous.

Change-Id: I3af6dacb61c68350876fb03f056f02a287ea4e33
Fixes: QTBUG-82153
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
---
 src/svg/qsvggraphics.cpp | 17 ++++++++++++++++-
 src/svg/qsvgstyle_p.h    |  2 ++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/src/svg/qsvggraphics.cpp b/src/svg/qsvggraphics.cpp
index bcd2452..20a03ff 100644
--- a/src/svg/qsvggraphics.cpp
+++ b/src/svg/qsvggraphics.cpp
@@ -43,6 +43,7 @@
 
 #include <qabstracttextdocumentlayout.h>
 #include <qdebug.h>
+#include <qloggingcategory.h>
 #include <qpainter.h>
 #include <qscopedvaluerollback.h>
 #include <qtextcursor.h>
@@ -53,6 +54,8 @@
 
 QT_BEGIN_NAMESPACE
 
+Q_LOGGING_CATEGORY(lcSvgDraw, "qt.svg.draw")
+
 #define QT_SVG_DRAW_SHAPE(command)                          \
     qreal oldOpacity = p->opacity();                        \
     QBrush oldBrush = p->brush();                           \
@@ -469,15 +472,27 @@ void QSvgUse::draw(QPainter *p, QSvgExtraStates &states)
     if (Q_UNLIKELY(!m_link || isDescendantOf(m_link) || m_recursing))
         return;
 
+    Q_ASSERT(states.nestedUseCount == 0 || states.nestedUseLevel > 0);
+    if (states.nestedUseLevel > 3 && states.nestedUseCount > (256 + states.nestedUseLevel * 2)) {
+        qCDebug(lcSvgDraw, "Too many nested use nodes at #%s!", qPrintable(m_linkId));
+        return;
+    }
+
     applyStyle(p, states);
 
     if (!m_start.isNull()) {
         p->translate(m_start);
     }
+    if (states.nestedUseLevel > 0)
+        ++states.nestedUseCount;
     {
-        QScopedValueRollback<bool> guard(m_recursing, true);
+        QScopedValueRollback<int> useLevelGuard(states.nestedUseLevel, states.nestedUseLevel + 1);
+        QScopedValueRollback<bool> recursingGuard(m_recursing, true);
         m_link->draw(p, states);
     }
+    if (states.nestedUseLevel == 0)
+        states.nestedUseCount = 0;
+
     if (!m_start.isNull()) {
         p->translate(-m_start);
     }
diff --git a/src/svg/qsvgstyle_p.h b/src/svg/qsvgstyle_p.h
index 39aa690..9d616d4 100644
--- a/src/svg/qsvgstyle_p.h
+++ b/src/svg/qsvgstyle_p.h
@@ -145,6 +145,8 @@ struct Q_SVG_PRIVATE_EXPORT QSvgExtraStates
     int fontWeight;
     Qt::FillRule fillRule;
     qreal strokeDashOffset;
+    int nestedUseLevel = 0;
+    int nestedUseCount = 0;
     bool vectorEffect; // true if pen is cosmetic
 };
 
-- 
cgit v1.2.1