From f6e5dc05855db60eab1568b5fe226922d1c899bb Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Tue, 26 Feb 2019 17:44:48 +0100
Subject: Don't leak nodes on parsing failures

The QSvgHandler always expects the caller to handle ownership of the
generated document, also when the parsing failed.

QSvgHandler also failed to handle misplaced group elements.

Fixes: QTBUG-74083
Change-Id: I8907117d4305ecd84e328b201791001cb877fc60
Reviewed-by: Robert Loehning <robert.loehning@qt.io>
---
 src/svg/qsvghandler.cpp      | 12 +++++++++---
 src/svg/qsvgtinydocument.cpp |  7 ++++++-
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
index dd31965..1767ad8 100644
--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -3709,14 +3709,20 @@ bool QSvgHandler::startElement(const QString &localName,
             }
                 break;
             default:
+                const QByteArray msg = QByteArrayLiteral("Could not add child element to parent element because the types are incorrect.");
+                qCWarning(lcSvgHandler, "%s", prefixMessage(msg, xml).constData());
+                delete node;
+                node = 0;
                 break;
             }
         }
-        parseCoreNode(node, attributes);
+        if (node) {
+            parseCoreNode(node, attributes);
 #ifndef QT_NO_CSSPARSER
-        cssStyleLookup(node, this, m_selector);
+            cssStyleLookup(node, this, m_selector);
 #endif
-        parseStyle(node, attributes, this);
+            parseStyle(node, attributes, this);
+        }
     } else if (FactoryMethod method = findGraphicsFactory(localName)) {
         //rendering element
         Q_ASSERT(!m_nodes.isEmpty());
diff --git a/src/svg/qsvgtinydocument.cpp b/src/svg/qsvgtinydocument.cpp
index 15351bd..813395f 100644
--- a/src/svg/qsvgtinydocument.cpp
+++ b/src/svg/qsvgtinydocument.cpp
@@ -187,6 +187,7 @@ QSvgTinyDocument * QSvgTinyDocument::load(const QString &fileName)
     } else {
         qCWarning(lcSvgHandler, "Cannot read file '%s', because: %s (line %d)",
                  qPrintable(fileName), qPrintable(handler.errorString()), handler.lineNumber());
+        delete handler.document();
     }
     return doc;
 }
@@ -207,6 +208,8 @@ QSvgTinyDocument * QSvgTinyDocument::load(const QByteArray &contents)
     if (handler.ok()) {
         doc = handler.document();
         doc->m_animationDuration = handler.animationDuration();
+    } else {
+        delete handler.document();
     }
     return doc;
 }
@@ -219,6 +222,8 @@ QSvgTinyDocument * QSvgTinyDocument::load(QXmlStreamReader *contents)
     if (handler.ok()) {
         doc = handler.document();
         doc->m_animationDuration = handler.animationDuration();
+    } else {
+        delete handler.document();
     }
     return doc;
 }
@@ -455,7 +460,7 @@ QMatrix QSvgTinyDocument::matrixForElement(const QString &id) const
             t *= node->m_style.transform->qtransform();
         node = node->parent();
     }
-    
+
     return t.toAffine();
 }
 
-- 
cgit v1.2.1