From 99a86c1bc347092d76f1288d901b30643b8eea6c Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Tue, 23 Jun 2020 11:24:47 +0200
Subject: Fix oom in QSvgTinyDocument::load

Avoid overflowing the size integer.

Fixes ozz-fuzz 23606

Pick-to: 5.15 5.12
Change-Id: Iaae2c1e78e59737bba0e34791de4a3a92677f319
Reviewed-by: Robert Loehning <robert.loehning@qt.io>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
---
 src/svg/qsvgtinydocument.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'src')

diff --git a/src/svg/qsvgtinydocument.cpp b/src/svg/qsvgtinydocument.cpp
index 9e5da82..295f535 100644
--- a/src/svg/qsvgtinydocument.cpp
+++ b/src/svg/qsvgtinydocument.cpp
@@ -127,6 +127,12 @@ QByteArray qt_inflateGZipDataFrom(QIODevice *device)
         do {
             // Prepare the destination buffer
             int oldSize = destination.size();
+            if (oldSize > INT_MAX - CHUNK_SIZE) {
+                inflateEnd(&zlibStream);
+                qCWarning(lcSvgHandler, "Error while inflating gzip file: integer size overflow");
+                return destination;
+            }
+
             destination.resize(oldSize + CHUNK_SIZE);
             zlibStream.next_out = reinterpret_cast<Bytef*>(
                     destination.data() + oldSize - zlibStream.avail_out);
-- 
cgit v1.2.1