From dd8505ae9c64ba04ecebd62a91ad098c01fb2f40 Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Mon, 22 Jun 2020 13:46:39 +0200
Subject: Handle empty rects

Avoids a division by zero, also we don't appear to support auto sizes,
so width and height are required attributes.

Fixes oss-fuzz issue 23588.

Change-Id: Ib3474c2ed4409977f6ffcf73088956c6c59ce4ad
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
Reviewed-by: Robert Loehning <robert.loehning@qt.io>
(cherry picked from commit 78cbbc1aa3a4802b2eeec8b5abfe196e05df1b16)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/svg/qsvghandler.cpp | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
index fe79977..885ae9e 100644
--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -3058,17 +3058,27 @@ static QSvgNode *createRectNode(QSvgNode *parent,
     const QStringRef rx      = attributes.value(QLatin1String("rx"));
     const QStringRef ry      = attributes.value(QLatin1String("ry"));
 
+    bool ok = true;
     QSvgHandler::LengthType type;
-    qreal nwidth = parseLength(width, type, handler);
+    qreal nwidth = parseLength(width, type, handler, &ok);
+    if (!ok)
+        return nullptr;
     nwidth = convertToPixels(nwidth, true, type);
-
-    qreal nheight = parseLength(height, type, handler);
+    qreal nheight = parseLength(height, type, handler, &ok);
+    if (!ok)
+        return nullptr;
     nheight = convertToPixels(nheight, true, type);
     qreal nrx = toDouble(rx);
     qreal nry = toDouble(ry);
 
-    QRectF bounds(toDouble(x), toDouble(y),
-                  nwidth, nheight);
+    QRectF bounds(toDouble(x), toDouble(y), nwidth, nheight);
+    if (bounds.isEmpty())
+        return nullptr;
+
+    if (!rx.isEmpty() && ry.isEmpty())
+        nry = nrx;
+    else if (!ry.isEmpty() && rx.isEmpty())
+        nrx = nry;
 
     //9.2 The 'rect'  element clearly specifies it
     // but the case might in fact be handled because
@@ -3078,11 +3088,6 @@ static QSvgNode *createRectNode(QSvgNode *parent,
     if (nry > bounds.height()/2)
         nry = bounds.height()/2;
 
-    if (!rx.isEmpty() && ry.isEmpty())
-        nry = nrx;
-    else if (!ry.isEmpty() && rx.isEmpty())
-        nrx = nry;
-
     //we draw rounded rect from 0...99
     //svg from 0...bounds.width()/2 so we're adjusting the
     //coordinates
-- 
cgit v1.2.1