From 4b1514df3c1f9c10d883b2dffff856321ccccca0 Mon Sep 17 00:00:00 2001
From: Robert Loehning <robert.loehning@qt.io>
Date: Mon, 20 Jul 2020 19:07:11 +0200
Subject: Avoid endless recursion when inflating gzip

Fixes: oss-fuzz-24146
Change-Id: I52a974e6a0694fb4afb50d932b2e99917c3034b2
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
(cherry picked from commit 8368111c76471a7415c29ba293848003fca2a4af)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/svg/qsvgtinydocument.cpp | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'src/svg/qsvgtinydocument.cpp')

diff --git a/src/svg/qsvgtinydocument.cpp b/src/svg/qsvgtinydocument.cpp
index b77695b..cf7ba75 100644
--- a/src/svg/qsvgtinydocument.cpp
+++ b/src/svg/qsvgtinydocument.cpp
@@ -145,8 +145,7 @@ QByteArray qt_inflateGZipDataFrom(QIODevice *device)
                     inflateEnd(&zlibStream);
                     qCWarning(lcSvgHandler, "Error while inflating gzip file: %s",
                             (zlibStream.msg != NULL ? zlibStream.msg : "Unknown error"));
-                    destination.chop(zlibStream.avail_out);
-                    return destination;
+                    return QByteArray();
                 }
             }
 
@@ -204,7 +203,10 @@ QSvgTinyDocument * QSvgTinyDocument::load(const QByteArray &contents)
     // Check for gzip magic number and inflate if appropriate
     if (contents.startsWith("\x1f\x8b")) {
         QBuffer buffer(const_cast<QByteArray *>(&contents));
-        return load(qt_inflateGZipDataFrom(&buffer));
+        const QByteArray inflated = qt_inflateGZipDataFrom(&buffer);
+        if (inflated.isNull())
+            return nullptr;
+        return load(inflated);
     }
 #endif
 
-- 
cgit v1.2.1