From 6f152f87dbbd47acc58458d636ce5d1cc181b8fd Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Thu, 28 Feb 2019 11:20:27 +0100
Subject: Fix IRI parsing, and use after free

Make the parsing of IRI references tighter, and avoid freeing
styles when inserting a duplicate id.

Fixes: QTBUG-74104
Change-Id: I3a12fcf09ce1c55c135a4209817413ed8af75dec
Reviewed-by: Robert Loehning <robert.loehning@qt.io>
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
---
 src/svg/qsvghandler.cpp      | 14 ++++++++++++--
 src/svg/qsvgtinydocument.cpp |  5 ++++-
 2 files changed, 16 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
index 463ec01..599ed56 100644
--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -774,21 +774,31 @@ static QVector<qreal> parsePercentageList(const QChar *&str)
 
 static QString idFromUrl(const QString &url)
 {
+    // The form is url(<IRI>), where IRI can be
+    // just an ID on #<id> form.
     QString::const_iterator itr = url.constBegin();
     QString::const_iterator end = url.constEnd();
+    QString id;
     while (itr != end && (*itr).isSpace())
         ++itr;
     if (itr != end && (*itr) == QLatin1Char('('))
         ++itr;
+    else
+        return QString();
     while (itr != end && (*itr).isSpace())
         ++itr;
-    if (itr != end && (*itr) == QLatin1Char('#'))
+    if (itr != end && (*itr) == QLatin1Char('#')) {
+        id += *itr;
         ++itr;
-    QString id;
+    } else {
+        return QString();
+    }
     while (itr != end && (*itr) != QLatin1Char(')')) {
         id += *itr;
         ++itr;
     }
+    if (itr == end || (*itr) != QLatin1Char(')'))
+        return QString();
     return id;
 }
 
diff --git a/src/svg/qsvgtinydocument.cpp b/src/svg/qsvgtinydocument.cpp
index 813395f..da464cc 100644
--- a/src/svg/qsvgtinydocument.cpp
+++ b/src/svg/qsvgtinydocument.cpp
@@ -363,7 +363,10 @@ QSvgNode *QSvgTinyDocument::namedNode(const QString &id) const
 
 void QSvgTinyDocument::addNamedStyle(const QString &id, QSvgFillStyleProperty *style)
 {
-    m_namedStyles.insert(id, style);
+    if (!m_namedStyles.contains(id))
+        m_namedStyles.insert(id, style);
+    else
+        qCWarning(lcSvgHandler) << "Duplicate unique style id:" << id;
 }
 
 QSvgFillStyleProperty *QSvgTinyDocument::namedStyle(const QString &id) const
-- 
cgit v1.2.1