From 7fa4b7c76ca4d9b84730cfad239e1a7a58cf2dfa Mon Sep 17 00:00:00 2001
From: Eirik Aavitsland <eirik.aavitsland@qt.io>
Date: Thu, 27 Aug 2020 10:51:35 +0200
Subject: Avoid recursion when inflating compressed svgs

Avoid the possibility of recursion loop for corrupt compressed files,
and generally simplify the code, particularly the handling of the
QT_NO_COMPRESS flag.

Change-Id: Ic21a4814a45c4303cc366152be65ae54fa973461
Reviewed-by: Robert Loehning <robert.loehning@qt.io>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
(cherry picked from commit 3d67824828cf37a2357153e1c832b4cb06d3b485)
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
---
 src/svg/qsvgtinydocument.cpp | 27 +++++++++++++++++----------
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/src/svg/qsvgtinydocument.cpp b/src/svg/qsvgtinydocument.cpp
index d7a6c8e..da3d142 100644
--- a/src/svg/qsvgtinydocument.cpp
+++ b/src/svg/qsvgtinydocument.cpp
@@ -179,6 +179,11 @@ static QByteArray qt_inflateSvgzDataFrom(QIODevice *device, bool doCheckContent)
     inflateEnd(&zlibStream);
     return destination;
 }
+#else
+static QByteArray qt_inflateSvgzDataFrom(QIODevice *)
+{
+    return QByteArray();
+}
 #endif
 
 QSvgTinyDocument * QSvgTinyDocument::load(const QString &fileName)
@@ -190,12 +195,10 @@ QSvgTinyDocument * QSvgTinyDocument::load(const QString &fileName)
         return 0;
     }
 
-#ifndef QT_NO_COMPRESS
     if (fileName.endsWith(QLatin1String(".svgz"), Qt::CaseInsensitive)
             || fileName.endsWith(QLatin1String(".svg.gz"), Qt::CaseInsensitive)) {
         return load(qt_inflateSvgzDataFrom(&file));
     }
-#endif
 
     QSvgTinyDocument *doc = 0;
     QSvgHandler handler(&file);
@@ -212,18 +215,22 @@ QSvgTinyDocument * QSvgTinyDocument::load(const QString &fileName)
 
 QSvgTinyDocument * QSvgTinyDocument::load(const QByteArray &contents)
 {
-#ifndef QT_NO_COMPRESS
+    QByteArray svg;
     // Check for gzip magic number and inflate if appropriate
     if (contents.startsWith("\x1f\x8b")) {
-        QBuffer buffer(const_cast<QByteArray *>(&contents));
-        const QByteArray inflated = qt_inflateSvgzDataFrom(&buffer);
-        if (inflated.isNull())
-            return nullptr;
-        return load(inflated);
+        QBuffer buffer;
+        buffer.setData(contents);
+        svg = qt_inflateSvgzDataFrom(&buffer);
+    } else {
+        svg = contents;
     }
-#endif
+    if (svg.isNull())
+        return nullptr;
 
-    QSvgHandler handler(contents);
+    QBuffer buffer;
+    buffer.setData(svg);
+    buffer.open(QIODevice::ReadOnly);
+    QSvgHandler handler(&buffer);
 
     QSvgTinyDocument *doc = nullptr;
     if (handler.ok()) {
-- 
cgit v1.2.1