Overview

File 0004-Fix-stack-overflow-in-QSvgHandler-resolveGradients.patch of Package libqt5-qtsvg.21342

From e0d6cdc9858db3107127370155de863e605b4a2f Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Tue, 23 Jun 2020 10:27:37 +0200
Subject: [PATCH 04/21] Fix stack overflow in QSvgHandler::resolveGradients

Add a maximum to how deep it will nest.

Fixes oss-fuzz 23643

Change-Id: I6183c04f65a539a6c7df42bc7346a86ee58aca6c
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
(cherry picked from commit 6b86b5de893e9885f8288af5a096444b30fa2628)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
(cherry picked from commit 2603105f7c9f99a04096ecba47b33b9cae80d795)
---
 src/svg/qsvghandler.cpp | 10 ++++++----
 src/svg/qsvghandler_p.h |  2 +-
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
index 885ae9e..2029a72 100644
--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -3857,16 +3857,17 @@ bool QSvgHandler::endElement(const QStringRef &localName)
     return true;
 }
 
-void QSvgHandler::resolveGradients(QSvgNode *node)
+void QSvgHandler::resolveGradients(QSvgNode *node, int nestedDepth)
 {
     if (!node || (node->type() != QSvgNode::DOC && node->type() != QSvgNode::G
         && node->type() != QSvgNode::DEFS && node->type() != QSvgNode::SWITCH)) {
         return;
     }
+
     QSvgStructureNode *structureNode = static_cast<QSvgStructureNode *>(node);
 
-    QList<QSvgNode *> ren = structureNode->renderers();
-    for (QList<QSvgNode *>::iterator it = ren.begin(); it != ren.end(); ++it) {
+    const QList<QSvgNode *> ren = structureNode->renderers();
+    for (auto it = ren.begin(); it != ren.end(); ++it) {
         QSvgFillStyle *fill = static_cast<QSvgFillStyle *>((*it)->styleProperty(QSvgStyleProperty::FILL));
         if (fill && !fill->isGradientResolved()) {
             QString id = fill->gradientId();
@@ -3891,7 +3892,8 @@ void QSvgHandler::resolveGradients(QSvgNode *node)
             }
         }
 
-        resolveGradients(*it);
+        if (nestedDepth < 2048)
+            resolveGradients(*it, nestedDepth + 1);
     }
 }
 
diff --git a/src/svg/qsvghandler_p.h b/src/svg/qsvghandler_p.h
index 8eb061b..1b16950 100644
--- a/src/svg/qsvghandler_p.h
+++ b/src/svg/qsvghandler_p.h
@@ -178,7 +178,7 @@ private:
     QCss::Parser m_cssParser;
 #endif
     void parse();
-    void resolveGradients(QSvgNode *node);
+    void resolveGradients(QSvgNode *node, int nestedDepth = 0);
     void resolveNodes();
 
     QPen m_defaultPen;
-- 
2.20.1
openSUSE Build Service is sponsored by
Places