From 1b5ab50692bd7df0bb044aec1f95120ae20560ad Mon Sep 17 00:00:00 2001
From: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io>
Date: Wed, 6 Jul 2022 13:52:46 +0200
Subject: Avoid undefined behavior when painter transform goes oob

With some broken input files, we can end up with a matrix
that scales or translates so far that it ends up with
NaNs or Infs. This causes undefined behavior later when
doing comparisons. We protect against this by checking
for matrix validity after transforming and resetting the
matrix if it becomes invalid.

Pick-to: 5.15 6.2 6.3 6.4
Fixes: QTBUG-101698
Change-Id: Iabc745c1e7a0c36449f14c4c6d9bc8066eaa8eac
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
---
 src/svg/qsvgtinydocument.cpp | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'src')

diff --git a/src/svg/qsvgtinydocument.cpp b/src/svg/qsvgtinydocument.cpp
index f6dacd8..49a796c 100644
--- a/src/svg/qsvgtinydocument.cpp
+++ b/src/svg/qsvgtinydocument.cpp
@@ -397,8 +397,16 @@ void QSvgTinyDocument::draw(QPainter *p, QSvgExtraStates &)
     draw(p);
 }
 
+static bool isValidMatrix(const QTransform &transform)
+{
+    qreal determinant = transform.determinant();
+    return qIsFinite(determinant);
+}
+
 void QSvgTinyDocument::mapSourceToTarget(QPainter *p, const QRectF &targetRect, const QRectF &sourceRect)
 {
+    QTransform oldTransform = p->worldTransform();
+
     QRectF target = targetRect;
     if (target.isEmpty()) {
         QPaintDevice *dev = p->device();
@@ -447,6 +455,9 @@ void QSvgTinyDocument::mapSourceToTarget(QPainter *p, const QRectF &targetRect,
             p->translate(-source.x(), -source.y());
         }
     }
+
+    if (!isValidMatrix(p->worldTransform()))
+        p->setWorldTransform(oldTransform);
 }
 
 QRectF QSvgTinyDocument::boundsOnElement(const QString &id) const
-- 
cgit v1.2.1