File 0003-Fix-oom-in-QSvgTinyDocument-load.patch of Package libqt5-qtsvg.21342

From 25aef2d0f6bc1c0337309505eab78f98c54a40e8 Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Tue, 23 Jun 2020 11:24:47 +0200
Subject: [PATCH 03/21] Fix oom in QSvgTinyDocument::load

Avoid overflowing the size integer.

Fixes ozz-fuzz 23606

Change-Id: Iaae2c1e78e59737bba0e34791de4a3a92677f319
Reviewed-by: Robert Loehning <robert.loehning@qt.io>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
(cherry picked from commit 99a86c1bc347092d76f1288d901b30643b8eea6c)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
(cherry picked from commit 44d3c3535038d3a90142d718ff833f5f1ac2720a)
---
 src/svg/qsvgtinydocument.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/svg/qsvgtinydocument.cpp b/src/svg/qsvgtinydocument.cpp
index 6889f7b..695e7c6 100644
--- a/src/svg/qsvgtinydocument.cpp
+++ b/src/svg/qsvgtinydocument.cpp
@@ -125,6 +125,12 @@ QByteArray qt_inflateGZipDataFrom(QIODevice *device)
         do {
             // Prepare the destination buffer
             int oldSize = destination.size();
+            if (oldSize > INT_MAX - CHUNK_SIZE) {
+                inflateEnd(&zlibStream);
+                qCWarning(lcSvgHandler, "Error while inflating gzip file: integer size overflow");
+                return destination;
+            }
+
             destination.resize(oldSize + CHUNK_SIZE);
             zlibStream.next_out = reinterpret_cast<Bytef*>(
                     destination.data() + oldSize - zlibStream.avail_out);
-- 
2.20.1