File 0005-Sanitize-lengthValue-in-CSS-parser.patch of Package libqt5-qtbase.17069

From b389f1fa8eefd3c01a45d85b5c915bc92a0576e5 Mon Sep 17 00:00:00 2001
From: Robert Loehning <robert.loehning@qt.io>
Date: Thu, 16 Jul 2020 21:14:58 +0200
Subject: [PATCH 05/11] Sanitize lengthValue in CSS parser

Limit the LengthData to the integer range before rounding it, taking
into account that qRound() substracts 1 from negative values.

Fixes: oss-fuzz-23220
Change-Id: I1b4383f3c33aac22746831002b2c74fc134faf77
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
(cherry picked from commit 188501fe27899cdc6a1aacf0d8c1a11144bd564a)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
(cherry picked from commit a2b1ab0e6e85f684db15cb793c36145f0bc4e45d)
---
 src/gui/text/qcssparser.cpp | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/gui/text/qcssparser.cpp b/src/gui/text/qcssparser.cpp
index 325fd26a31..78ddc04afd 100644
--- a/src/gui/text/qcssparser.cpp
+++ b/src/gui/text/qcssparser.cpp
@@ -416,11 +416,10 @@ LengthData ValueExtractor::lengthValue(const Value& v)
 
 static int lengthValueFromData(const LengthData& data, const QFont& f)
 {
-    if (data.unit == LengthData::Ex)
-        return qRound(QFontMetrics(f).xHeight() * data.number);
-    else if (data.unit == LengthData::Em)
-        return qRound(QFontMetrics(f).height() * data.number);
-    return qRound(data.number);
+    const int scale = (data.unit == LengthData::Ex ? QFontMetrics(f).xHeight()
+                      : data.unit == LengthData::Em ? QFontMetrics(f).height() : 1);
+    // raised lower limit due to the implementation of qRound()
+    return qRound(qBound(double(INT_MIN) + 0.1, scale * data.number, double(INT_MAX)));
 }
 
 int ValueExtractor::lengthValue(const Declaration &decl)
-- 
2.25.1