File 0015-Implement-basic-format-check-also-for-comp... of Package libqt5-qtsvg.21342

Overview Repositories Revisions Requests Users Attributes Meta

File 0015-Implement-basic-format-check-also-for-compressed-svg.patch of Package libqt5-qtsvg.21342

From 9443796e030cb1b795794f10e6ff3447e17cd649 Mon Sep 17 00:00:00 2001
From: Eirik Aavitsland <eirik.aavitsland@qt.io>
Date: Wed, 26 Aug 2020 09:04:35 +0200
Subject: [PATCH 15/21] Implement basic format check also for compressed svgs

For uncompressed files, QSvgIOhandler::canRead() will reject any file
that does not start out with a svg or xml tag. That rudimentary check
was never done for compressed files (svgz).

Implement the check during the decompressing itself, so that we can
fail early and not waste time and memory decompressing potentially
huge files that are anyway not valid svgs.

Fixes: oss-fuzz-24611
Change-Id: I154efd8adafe7f09307e8b28a66b536539b1e4bd
Reviewed-by: Robert Loehning <robert.loehning@qt.io>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
(cherry picked from commit 93466dad6613085a5044a862a3a84a4eba6fcef9)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
(cherry picked from commit a84f09136e675f7a080638beae86ec3ec8fb4f94)
---
 src/svg/qsvgtinydocument.cpp | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/src/svg/qsvgtinydocument.cpp b/src/svg/qsvgtinydocument.cpp
index a202a25..d7a6c8e 100644
--- a/src/svg/qsvgtinydocument.cpp
+++ b/src/svg/qsvgtinydocument.cpp
@@ -71,13 +71,15 @@ QSvgTinyDocument::~QSvgTinyDocument()
 }
 
 #ifndef QT_NO_COMPRESS
+static QByteArray qt_inflateSvgzDataFrom(QIODevice *device, bool doCheckContent = true);
 #   ifdef QT_BUILD_INTERNAL
-Q_AUTOTEST_EXPORT QByteArray qt_inflateGZipDataFrom(QIODevice *device);
-#   else
-static QByteArray qt_inflateGZipDataFrom(QIODevice *device);
+Q_AUTOTEST_EXPORT QByteArray qt_inflateGZipDataFrom(QIODevice *device)
+{
+    return qt_inflateSvgzDataFrom(device, false); // autotest wants unchecked result
+}
 #   endif
 
-QByteArray qt_inflateGZipDataFrom(QIODevice *device)
+static QByteArray qt_inflateSvgzDataFrom(QIODevice *device, bool doCheckContent)
 {
     if (!device)
         return QByteArray();
@@ -153,6 +155,17 @@ QByteArray qt_inflateGZipDataFrom(QIODevice *device)
         // it means we have to provide more data, so exit the loop here
         } while (!zlibStream.avail_out);
 
+        if (doCheckContent) {
+            // Quick format check, equivalent to QSvgIOHandler::canRead()
+            QByteArray buf = destination.left(8);
+            if (!buf.contains("<?xml") && !buf.contains("<svg") && !buf.contains("<!--")) {
+                inflateEnd(&zlibStream);
+                qCWarning(lcSvgHandler, "Error while inflating gzip file: SVG format check failed");
+                return QByteArray();
+            }
+            doCheckContent = false; // Run only once, on first chunk
+        }
+
         if (zlibResult == Z_STREAM_END) {
             // Make sure there are no more members to process before exiting
             if (!(zlibStream.avail_in && inflateReset(&zlibStream) == Z_OK))
@@ -180,7 +193,7 @@ QSvgTinyDocument * QSvgTinyDocument::load(const QString &fileName)
 #ifndef QT_NO_COMPRESS
     if (fileName.endsWith(QLatin1String(".svgz"), Qt::CaseInsensitive)
             || fileName.endsWith(QLatin1String(".svg.gz"), Qt::CaseInsensitive)) {
-        return load(qt_inflateGZipDataFrom(&file));
+        return load(qt_inflateSvgzDataFrom(&file));
     }
 #endif
 
@@ -203,7 +216,7 @@ QSvgTinyDocument * QSvgTinyDocument::load(const QByteArray &contents)
     // Check for gzip magic number and inflate if appropriate
     if (contents.startsWith("\x1f\x8b")) {
         QBuffer buffer(const_cast<QByteArray *>(&contents));
-        const QByteArray inflated = qt_inflateGZipDataFrom(&buffer);
+        const QByteArray inflated = qt_inflateSvgzDataFrom(&buffer);
         if (inflated.isNull())
             return nullptr;
         return load(inflated);
-- 
2.20.1

Places

File 0015-Implement-basic-format-check-also-for-compressed-svg.patch of Package libqt5-qtsvg.21342

Places