From 15f74a0f8a41759e1216d52d53852c05c9299107 Mon Sep 17 00:00:00 2001 From: Eirik Aavitsland Date: Mon, 1 Apr 2019 14:17:11 +0200 Subject: Fix crash for recursive gradient references A reference loop with at least three elements would lead to endless recursion. Fixes: QTBUG-74189 Change-Id: Ie3c1b32da0e98e9218dc387dd3210666018a92e1 Reviewed-by: Allan Sandfeld Jensen --- src/svg/qsvgstyle.cpp | 11 ++++++-- src/svg/qsvgstyle_p.h | 1 + tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp | 39 ++++++++++++++++++++++++++++ 3 files changed, 49 insertions(+), 2 deletions(-) diff --git a/src/svg/qsvgstyle.cpp b/src/svg/qsvgstyle.cpp index 5448797..b934f94 100644 --- a/src/svg/qsvgstyle.cpp +++ b/src/svg/qsvgstyle.cpp @@ -941,14 +941,21 @@ void QSvgGradientStyle::setStopLink(const QString &link, QSvgTinyDocument *doc) } void QSvgGradientStyle::resolveStops() +{ + QStringList visited; + resolveStops_helper(&visited); +} + +void QSvgGradientStyle::resolveStops_helper(QStringList *visited) { if (!m_link.isEmpty() && m_doc) { QSvgStyleProperty *prop = m_doc->styleProperty(m_link); - if (prop && prop != this) { + if (prop && !visited->contains(m_link)) { + visited->append(m_link); if (prop->type() == QSvgStyleProperty::GRADIENT) { QSvgGradientStyle *st = static_cast(prop); - st->resolveStops(); + st->resolveStops_helper(visited); m_gradient->setStops(st->qgradient()->stops()); m_gradientStopsSet = st->gradientStopsSet(); } diff --git a/src/svg/qsvgstyle_p.h b/src/svg/qsvgstyle_p.h index 916c9fa..39aa690 100644 --- a/src/svg/qsvgstyle_p.h +++ b/src/svg/qsvgstyle_p.h @@ -577,6 +577,7 @@ public: void setStopLink(const QString &link, QSvgTinyDocument *doc); QString stopLink() const { return m_link; } void resolveStops(); + void resolveStops_helper(QStringList *visited); void setMatrix(const QMatrix &matrix); QMatrix qmatrix() const diff --git a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp index 5b359b9..aa28ca9 100644 --- a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp +++ b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp @@ -67,6 +67,8 @@ private slots: void boundsOnElement() const; void gradientStops() const; void gradientRefs(); + void recursiveRefs_data(); + void recursiveRefs(); void fillRule(); void opacity(); void paths(); @@ -674,6 +676,43 @@ void tst_QSvgRenderer::gradientRefs() } } +void tst_QSvgRenderer::recursiveRefs_data() +{ + QTest::addColumn("svg"); + + QTest::newRow("single") << QByteArray("" + "" + "" + ""); + + QTest::newRow("double") << QByteArray("" + "" + "" + "" + ""); + + QTest::newRow("triple") << QByteArray("" + "" + "" + "" + "" + ""); +} + +void tst_QSvgRenderer::recursiveRefs() +{ + QFETCH(QByteArray, svg); + + QImage image(20, 20, QImage::Format_ARGB32_Premultiplied); + image.fill(Qt::green); + QImage refImage = image.copy(); + + QSvgRenderer renderer(svg); + QPainter painter(&image); + renderer.render(&painter); + QCOMPARE(image, refImage); +} + #ifndef QT_NO_COMPRESS void tst_QSvgRenderer::testGzLoading() -- cgit v1.2.1 From 1d86c1fe494f70aa8b802c911648ce370b937c63 Mon Sep 17 00:00:00 2001 From: Antti Kokko Date: Mon, 1 Apr 2019 13:35:31 +0300 Subject: Add changes file for Qt 5.12.3 + f6e5dc05855db60eab1568b5fe226922d1c899bb Don't leak nodes on parsing failures + f354d4be9a7a436fb16bd9764a261c930101850c Fix heap overflow in path parsing + 6f152f87dbbd47acc58458d636ce5d1cc181b8fd Fix IRI parsing, and use after free + d477ec8f40b28caf3a216d9e8550d8871d5131fb Bump version Change-Id: Id70f4fd80e8aae4b40f28f795d11d9ef80a0b55f Reviewed-by: Allan Sandfeld Jensen --- dist/changes-5.12.3 | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 dist/changes-5.12.3 diff --git a/dist/changes-5.12.3 b/dist/changes-5.12.3 new file mode 100644 index 0000000..2ca8f74 --- /dev/null +++ b/dist/changes-5.12.3 @@ -0,0 +1,23 @@ +Qt 5.12.3 is a bug-fix release. It maintains both forward and backward +compatibility (source and binary) with Qt 5.12.0 through 5.12.2. + +For more details, refer to the online documentation included in this +distribution. The documentation is also available online: + +https://doc.qt.io/qt-5/index.html + +The Qt version 5.12 series is binary compatible with the 5.11.x series. +Applications compiled for 5.11 will continue to run with 5.12. + +Some of the changes listed in this file include issue tracking numbers +corresponding to tasks in the Qt Bug Tracker: + +https://bugreports.qt.io/ + +Each of these identifiers can be entered in the bug tracker to obtain more +information about a particular change. + + - [QTBUG-74083] Fixed leak on parsing failure. + - [QTBUG-74129] Fixed possible heap overflow in path parsing. + - [QTBUG-74189] Fixed crash with recursive gradient references. + - [QTBUG-74189] Fixed crash for recursive gradient references -- cgit v1.2.1 From fd12ae24b4542cf2f0df1a34187c4b8c0a408e01 Mon Sep 17 00:00:00 2001 From: Robert Loehning Date: Fri, 5 Apr 2019 13:58:34 +0200 Subject: Remove dedundant line from changes file Change-Id: Ibfbd66c9722e3ac008679aa67545591854052fc9 Reviewed-by: Eirik Aavitsland --- dist/changes-5.12.3 | 1 - 1 file changed, 1 deletion(-) diff --git a/dist/changes-5.12.3 b/dist/changes-5.12.3 index 2ca8f74..f5b447f 100644 --- a/dist/changes-5.12.3 +++ b/dist/changes-5.12.3 @@ -20,4 +20,3 @@ information about a particular change. - [QTBUG-74083] Fixed leak on parsing failure. - [QTBUG-74129] Fixed possible heap overflow in path parsing. - [QTBUG-74189] Fixed crash with recursive gradient references. - - [QTBUG-74189] Fixed crash for recursive gradient references -- cgit v1.2.1