From f6e5dc05855db60eab1568b5fe226922d1c899bb Mon Sep 17 00:00:00 2001 From: Allan Sandfeld Jensen Date: Tue, 26 Feb 2019 17:44:48 +0100 Subject: Don't leak nodes on parsing failures The QSvgHandler always expects the caller to handle ownership of the generated document, also when the parsing failed. QSvgHandler also failed to handle misplaced group elements. Fixes: QTBUG-74083 Change-Id: I8907117d4305ecd84e328b201791001cb877fc60 Reviewed-by: Robert Loehning --- src/svg/qsvghandler.cpp | 12 +++++++++--- src/svg/qsvgtinydocument.cpp | 7 ++++++- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp index dd31965..1767ad8 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp @@ -3709,14 +3709,20 @@ bool QSvgHandler::startElement(const QString &localName, } break; default: + const QByteArray msg = QByteArrayLiteral("Could not add child element to parent element because the types are incorrect."); + qCWarning(lcSvgHandler, "%s", prefixMessage(msg, xml).constData()); + delete node; + node = 0; break; } } - parseCoreNode(node, attributes); + if (node) { + parseCoreNode(node, attributes); #ifndef QT_NO_CSSPARSER - cssStyleLookup(node, this, m_selector); + cssStyleLookup(node, this, m_selector); #endif - parseStyle(node, attributes, this); + parseStyle(node, attributes, this); + } } else if (FactoryMethod method = findGraphicsFactory(localName)) { //rendering element Q_ASSERT(!m_nodes.isEmpty()); diff --git a/src/svg/qsvgtinydocument.cpp b/src/svg/qsvgtinydocument.cpp index 15351bd..813395f 100644 --- a/src/svg/qsvgtinydocument.cpp +++ b/src/svg/qsvgtinydocument.cpp @@ -187,6 +187,7 @@ QSvgTinyDocument * QSvgTinyDocument::load(const QString &fileName) } else { qCWarning(lcSvgHandler, "Cannot read file '%s', because: %s (line %d)", qPrintable(fileName), qPrintable(handler.errorString()), handler.lineNumber()); + delete handler.document(); } return doc; } @@ -207,6 +208,8 @@ QSvgTinyDocument * QSvgTinyDocument::load(const QByteArray &contents) if (handler.ok()) { doc = handler.document(); doc->m_animationDuration = handler.animationDuration(); + } else { + delete handler.document(); } return doc; } @@ -219,6 +222,8 @@ QSvgTinyDocument * QSvgTinyDocument::load(QXmlStreamReader *contents) if (handler.ok()) { doc = handler.document(); doc->m_animationDuration = handler.animationDuration(); + } else { + delete handler.document(); } return doc; } @@ -455,7 +460,7 @@ QMatrix QSvgTinyDocument::matrixForElement(const QString &id) const t *= node->m_style.transform->qtransform(); node = node->parent(); } - + return t.toAffine(); } -- cgit v1.2.1 From f354d4be9a7a436fb16bd9764a261c930101850c Mon Sep 17 00:00:00 2001 From: Allan Sandfeld Jensen Date: Thu, 28 Feb 2019 16:21:41 +0100 Subject: Fix heap overflow in path parsing Fixes: QTBUG-74129 Change-Id: I871c144f1df288a310e82aef979af7cfd7a54095 Reviewed-by: Robert Loehning --- src/svg/qsvghandler.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp index 1767ad8..463ec01 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp @@ -1596,7 +1596,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) const QChar *end = str + dataStr.size(); while (str != end) { - while (str->isSpace()) + while (str->isSpace() && (str + 1) != end) ++str; QChar pathElem = *str; ++str; -- cgit v1.2.1