From 6de62741019a1686e0af5d4e78b5d0f50fa18853 Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Tue, 23 Jun 2020 17:47:03 +0200
Subject: Add error handling to color parsing

Also fixes undefined shift of negative values.

Fixes oss-fuzz 23644

Change-Id: I08c998ebf2217cb8dc50fcb805603e01e67ad64b
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
(cherry picked from commit 9a0d4ff631003a84205c61bd7a6ef843207f1675)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/svg/qsvghandler.cpp | 41 ++++++++++++++++++++++-------------------
 1 file changed, 22 insertions(+), 19 deletions(-)

diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
index 7205cda..90d3a00 100644
--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -105,7 +105,7 @@ static inline QByteArray msgCouldNotResolveProperty(const QString &id, const QXm
 
 // ======== duplicated from qcolor_p
 
-static inline int qsvg_h2i(char hex)
+static inline int qsvg_h2i(char hex, bool *ok = nullptr)
 {
     if (hex >= '0' && hex <= '9')
         return hex - '0';
@@ -113,18 +113,20 @@ static inline int qsvg_h2i(char hex)
         return hex - 'a' + 10;
     if (hex >= 'A' && hex <= 'F')
         return hex - 'A' + 10;
+    if (ok)
+        *ok = false;
     return -1;
 }
 
-static inline int qsvg_hex2int(const char *s)
+static inline int qsvg_hex2int(const char *s, bool *ok = nullptr)
 {
-    return (qsvg_h2i(s[0]) << 4) | qsvg_h2i(s[1]);
+    return (qsvg_h2i(s[0], ok) * 16) | qsvg_h2i(s[1], ok);
 }
 
-static inline int qsvg_hex2int(char s)
+static inline int qsvg_hex2int(char s, bool *ok = nullptr)
 {
-    int h = qsvg_h2i(s);
-    return (h << 4) | h;
+    int h = qsvg_h2i(s, ok);
+    return (h * 16) | h;
 }
 
 bool qsvg_get_hex_rgb(const char *name, QRgb *rgb)
@@ -134,26 +136,27 @@ bool qsvg_get_hex_rgb(const char *name, QRgb *rgb)
     name++;
     int len = qstrlen(name);
     int r, g, b;
+    bool ok = true;
     if (len == 12) {
-        r = qsvg_hex2int(name);
-        g = qsvg_hex2int(name + 4);
-        b = qsvg_hex2int(name + 8);
+        r = qsvg_hex2int(name, &ok);
+        g = qsvg_hex2int(name + 4, &ok);
+        b = qsvg_hex2int(name + 8, &ok);
     } else if (len == 9) {
-        r = qsvg_hex2int(name);
-        g = qsvg_hex2int(name + 3);
-        b = qsvg_hex2int(name + 6);
+        r = qsvg_hex2int(name, &ok);
+        g = qsvg_hex2int(name + 3, &ok);
+        b = qsvg_hex2int(name + 6, &ok);
     } else if (len == 6) {
-        r = qsvg_hex2int(name);
-        g = qsvg_hex2int(name + 2);
-        b = qsvg_hex2int(name + 4);
+        r = qsvg_hex2int(name, &ok);
+        g = qsvg_hex2int(name + 2, &ok);
+        b = qsvg_hex2int(name + 4, &ok);
     } else if (len == 3) {
-        r = qsvg_hex2int(name[0]);
-        g = qsvg_hex2int(name[1]);
-        b = qsvg_hex2int(name[2]);
+        r = qsvg_hex2int(name[0], &ok);
+        g = qsvg_hex2int(name[1], &ok);
+        b = qsvg_hex2int(name[2], &ok);
     } else {
         r = g = b = -1;
     }
-    if ((uint)r > 255 || (uint)g > 255 || (uint)b > 255) {
+    if ((uint)r > 255 || (uint)g > 255 || (uint)b > 255 || !ok) {
         *rgb = 0;
         return false;
     }
-- 
cgit v1.2.1