Overview

File 0006-Fix-stack-overflow-in-dtor-of-QSvgTinyDocument.patch of Package libqt5-qtsvg.21342

From 223f2b10f99ec7c1f5e7e9708f244d335e22d12b Mon Sep 17 00:00:00 2001
From: Robert Loehning <robert.loehning@qt.io>
Date: Mon, 13 Jul 2020 20:53:11 +0200
Subject: [PATCH 06/21] Fix stack overflow in dtor of QSvgTinyDocument

Add a maximum to how many unfinished
elements will be parsed by QSvgHandler.

Fixes: oss-fuzz-24000
Change-Id: I4cea0500d2bc503d2c509d091300dd1117170299
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
(cherry picked from commit 2fc2cb44b275c7c18c2db262eec443eb198b9cc6)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
(cherry picked from commit a8ed1cd03bf524072d13c66ab14da8ff1b22cde2)
---
 src/svg/qsvghandler.cpp | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
index 14f7905..ab5f9ef 100644
--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -3633,6 +3633,10 @@ void QSvgHandler::init()
     parse();
 }
 
+// Having too many unfinished elements will cause a stack overflow
+// in the dtor of QSvgTinyDocument, see oss-fuzz issue 24000.
+static const int unfinishedElementsLimit = 2048;
+
 void QSvgHandler::parse()
 {
     xml->setNamespaceProcessing(false);
@@ -3641,6 +3645,7 @@ void QSvgHandler::parse()
     m_inStyle = false;
 #endif
     bool done = false;
+    int remainingUnfinishedElements = unfinishedElementsLimit;
     while (!xml->atEnd() && !done) {
         switch (xml->readNext()) {
         case QXmlStreamReader::StartElement:
@@ -3652,7 +3657,10 @@ void QSvgHandler::parse()
             // namespaceUri is empty. The only possible strategy at
             // this point is to do what everyone else seems to do and
             // ignore the reported namespaceUri completely.
-            if (!startElement(xml->name().toString(), xml->attributes())) {
+            if (remainingUnfinishedElements
+                    && startElement(xml->name().toString(), xml->attributes())) {
+                --remainingUnfinishedElements;
+            } else {
                 delete m_doc;
                 m_doc = 0;
                 return;
@@ -3660,6 +3668,7 @@ void QSvgHandler::parse()
             break;
         case QXmlStreamReader::EndElement:
             endElement(xml->name());
+            ++remainingUnfinishedElements;
             // if we are using somebody else's qxmlstreamreader
             // we should not read until the end of the stream
             done = !m_ownsReader && (xml->name() == QLatin1String("svg"));
-- 
2.20.1
openSUSE Build Service is sponsored by
Places