Overview

File 0009-Avoid-endless-recursion-when-inflating-gzip.patch of Package libqt5-qtsvg.21342

From 155a177c32e3d126c8a82be5c0b0cf7e8a9f7b0b Mon Sep 17 00:00:00 2001
From: Robert Loehning <robert.loehning@qt.io>
Date: Mon, 20 Jul 2020 19:07:11 +0200
Subject: [PATCH 09/21] Avoid endless recursion when inflating gzip

Fixes: oss-fuzz-24146
Change-Id: I52a974e6a0694fb4afb50d932b2e99917c3034b2
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
(cherry picked from commit 8368111c76471a7415c29ba293848003fca2a4af)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
(cherry picked from commit 4b1514df3c1f9c10d883b2dffff856321ccccca0)
---
 src/svg/qsvgtinydocument.cpp                 | 8 +++++---
 tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp | 3 +--
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/svg/qsvgtinydocument.cpp b/src/svg/qsvgtinydocument.cpp
index b77695b..cf7ba75 100644
--- a/src/svg/qsvgtinydocument.cpp
+++ b/src/svg/qsvgtinydocument.cpp
@@ -145,8 +145,7 @@ QByteArray qt_inflateGZipDataFrom(QIODevice *device)
                     inflateEnd(&zlibStream);
                     qCWarning(lcSvgHandler, "Error while inflating gzip file: %s",
                             (zlibStream.msg != NULL ? zlibStream.msg : "Unknown error"));
-                    destination.chop(zlibStream.avail_out);
-                    return destination;
+                    return QByteArray();
                 }
             }
 
@@ -204,7 +203,10 @@ QSvgTinyDocument * QSvgTinyDocument::load(const QByteArray &contents)
     // Check for gzip magic number and inflate if appropriate
     if (contents.startsWith("\x1f\x8b")) {
         QBuffer buffer(const_cast<QByteArray *>(&contents));
-        return load(qt_inflateGZipDataFrom(&buffer));
+        const QByteArray inflated = qt_inflateGZipDataFrom(&buffer);
+        if (inflated.isNull())
+            return nullptr;
+        return load(inflated);
     }
 #endif
 
diff --git a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
index efd80dd..2acc06f 100644
--- a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
+++ b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
@@ -759,10 +759,9 @@ void tst_QSvgRenderer::testGzHelper_data()
             "cbcfe70200a865327e040000001f8b08001c2a934800034b4a2ce20200e9b3a20404000000"))
         << QByteArray("foo\nbar\n");
 
-    // We should still get data of the first member if subsequent members are corrupt
     QTest::newRow("corruptedSecondMember") << QByteArray::fromHex(QByteArray("1f8b08001c2a934800034b"
             "cbcfe70200a865327e040000001f8c08001c2a934800034b4a2ce20200e9b3a20404000000"))
-        << QByteArray("foo\n");
+        << QByteArray();
 
 }
 
-- 
2.20.1
openSUSE Build Service is sponsored by
Places