From 8368111c76471a7415c29ba293848003fca2a4af Mon Sep 17 00:00:00 2001
From: Robert Loehning <robert.loehning@qt.io>
Date: Mon, 20 Jul 2020 19:07:11 +0200
Subject: Avoid endless recursion when inflating gzip

Fixes: oss-fuzz-24146
Pick-to: 5.12 5.15
Change-Id: I52a974e6a0694fb4afb50d932b2e99917c3034b2
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
---
 src/svg/qsvgtinydocument.cpp                 | 8 +++++---
 tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp | 3 +--
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/svg/qsvgtinydocument.cpp b/src/svg/qsvgtinydocument.cpp
index 0cbea1d..b1bde78 100644
--- a/src/svg/qsvgtinydocument.cpp
+++ b/src/svg/qsvgtinydocument.cpp
@@ -147,8 +147,7 @@ QByteArray qt_inflateGZipDataFrom(QIODevice *device)
                     inflateEnd(&zlibStream);
                     qCWarning(lcSvgHandler, "Error while inflating gzip file: %s",
                             (zlibStream.msg != NULL ? zlibStream.msg : "Unknown error"));
-                    destination.chop(zlibStream.avail_out);
-                    return destination;
+                    return QByteArray();
                 }
             }
 
@@ -206,7 +205,10 @@ QSvgTinyDocument * QSvgTinyDocument::load(const QByteArray &contents)
     // Check for gzip magic number and inflate if appropriate
     if (contents.startsWith("\x1f\x8b")) {
         QBuffer buffer(const_cast<QByteArray *>(&contents));
-        return load(qt_inflateGZipDataFrom(&buffer));
+        const QByteArray inflated = qt_inflateGZipDataFrom(&buffer);
+        if (inflated.isNull())
+            return nullptr;
+        return load(inflated);
     }
 #endif
 
diff --git a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
index 1f70b33..e6089bc 100644
--- a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
+++ b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
@@ -837,10 +837,9 @@ void tst_QSvgRenderer::testGzHelper_data()
             "cbcfe70200a865327e040000001f8b08001c2a934800034b4a2ce20200e9b3a20404000000"))
         << QByteArray("foo\nbar\n");
 
-    // We should still get data of the first member if subsequent members are corrupt
     QTest::newRow("corruptedSecondMember") << QByteArray::fromHex(QByteArray("1f8b08001c2a934800034b"
             "cbcfe70200a865327e040000001f8c08001c2a934800034b4a2ce20200e9b3a20404000000"))
-        << QByteArray("foo\n");
+        << QByteArray();
 
 }
 
-- 
cgit v1.2.1