diff options
Diffstat (limited to 'user/qt5-qtsvg/kde-lts.patch')
| -rw-r--r-- | user/qt5-qtsvg/kde-lts.patch | 569 |
1 files changed, 25 insertions, 544 deletions
diff --git a/user/qt5-qtsvg/kde-lts.patch b/user/qt5-qtsvg/kde-lts.patch index d48da723b..13e611a4a 100644 --- a/user/qt5-qtsvg/kde-lts.patch +++ b/user/qt5-qtsvg/kde-lts.patch @@ -1,7 +1,7 @@ -From df7c94a391e69adef6e2b7f3d415496c6ba62ab1 Mon Sep 17 00:00:00 2001 +From 62ad7cfc0290d2723e7c0afacfb7dbee6a1b0293 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20L=C3=B6hning?= <robert.loehning@qt.io> Date: Wed, 17 Feb 2021 19:20:42 +0100 -Subject: [PATCH 01/10] Avoid buffer overflow in isSupportedSvgFeature +Subject: [PATCH 1/5] Avoid buffer overflow in isSupportedSvgFeature Fixes oss-fuzz issue 29873. @@ -14,7 +14,7 @@ Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io> 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/svg/qsvgstructure.cpp b/src/svg/qsvgstructure.cpp -index b89608b..89c9e4e 100644 +index b89608b5..89c9e4ec 100644 --- a/src/svg/qsvgstructure.cpp +++ b/src/svg/qsvgstructure.cpp @@ -255,9 +255,13 @@ inline static bool isSupportedSvgFeature(const QString &str) @@ -34,48 +34,12 @@ index b89608b..89c9e4e 100644 return str == QLatin1String(wordlist[key]); } -- -2.36.0 +2.49.0 -From b8a829e3883b8a4ac564ac25d20d099797644c24 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Robert=20L=C3=B6hning?= <robert.loehning@qt.io> -Date: Fri, 23 Jul 2021 13:53:47 +0200 -Subject: [PATCH 02/10] Limit font size to avoid numerous overflows - -The font size will be passed through a QFixed in -QFontEngineBox::ascent() and overflow there as well as in further places. - -[ChangeLog] Avoid numerous overflows by limiting font size to 0xffff. -This fixes oss-fuzz issue 31701. - -Pick-to: 5.15 6.1 6.2 -Change-Id: I2d00c5639804af9b056f0efc979e9899c5358cf7 -Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io> -(cherry picked from commit 76eeb072cdffc1a8c776ed01864e6751ccbfba85) ---- - src/svg/qsvghandler.cpp | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp -index 9dac05c..e496a54 100644 ---- a/src/svg/qsvghandler.cpp -+++ b/src/svg/qsvghandler.cpp -@@ -1384,7 +1384,8 @@ static void parseFont(QSvgNode *node, - break; - case FontSizeValue: { - QSvgHandler::LengthType dummy; // should always be pixel size -- fontStyle->setSize(parseLength(attributes.fontSize, dummy, handler)); -+ fontStyle->setSize(qMin(parseLength(attributes.fontSize, dummy, handler), -+ qreal(0xffff))); - } - break; - default: --- -2.36.0 - -From 5b684556c7cbe136ff9f665b18a1e8c8e53f3175 Mon Sep 17 00:00:00 2001 +From 8d0ba96f68d8bf4ae2c6139ac88a026965bc6ef2 Mon Sep 17 00:00:00 2001 From: Albert Astals Cid <albert.astals.cid@kdab.com> Date: Mon, 11 Oct 2021 11:13:57 +0200 -Subject: [PATCH 03/10] Support font size not in pixels +Subject: [PATCH 2/5] Support font size not in pixels Fixes: QTBUG-97422 Pick-to: 6.2 @@ -87,10 +51,10 @@ Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io> 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp -index e496a54..6862494 100644 +index dd9b7164..f37bf42e 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp -@@ -1383,9 +1383,10 @@ static void parseFont(QSvgNode *node, +@@ -1393,9 +1393,10 @@ static void parseFont(QSvgNode *node, case FontSizeNone: break; case FontSizeValue: { @@ -105,12 +69,12 @@ index e496a54..6862494 100644 break; default: -- -2.36.0 +2.49.0 -From dd33c643251fbdcc9ed91f3617646a4367a434b7 Mon Sep 17 00:00:00 2001 +From 1342b53893ed984198d0664db491e3f4e353b405 Mon Sep 17 00:00:00 2001 From: Albert Astals Cid <albert.astals.cid@kdab.com> Date: Mon, 11 Oct 2021 11:11:26 +0200 -Subject: [PATCH 04/10] Fix text x/y when the length is not in pixels +Subject: [PATCH 3/5] Fix text x/y when the length is not in pixels Fixes: QTBUG-97421 Pick-to: 6.2 @@ -122,10 +86,10 @@ Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io> 1 file changed, 2 insertions(+) diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp -index 6862494..ba894bc 100644 +index f37bf42e..836f9a65 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp -@@ -3346,7 +3346,9 @@ static QSvgNode *createTextNode(QSvgNode *parent, +@@ -3353,7 +3353,9 @@ static QSvgNode *createTextNode(QSvgNode *parent, //### editable and rotate not handled QSvgHandler::LengthType type; qreal nx = parseLength(x, type, handler); @@ -136,111 +100,12 @@ index 6862494..ba894bc 100644 QSvgNode *text = new QSvgText(parent, QPointF(nx, ny)); return text; -- -2.36.0 - -From 1f59a48d239045bda7cfd43ed48fbf8553d36756 Mon Sep 17 00:00:00 2001 -From: Eirik Aavitsland <eirik.aavitsland@qt.io> -Date: Wed, 7 Jul 2021 10:09:58 +0200 -Subject: [PATCH 05/10] Fix parsing of arc elements in paths - -The arc element takes some flag parameters, which could be mixed up -with the float parameters since svg does not require delimiting -characters here. Hence legal svg would be misread.. - -Fixes: QTBUG-92184 -Pick-to: 6.2 6.1 5.15 -Change-Id: I5885c50d47e2e06ab0f02afefb7a5585c5c713ff -Reviewed-by: Paul Olav Tvete <paul.tvete@qt.io> -(cherry picked from commit b313862fa04d9a5403c16670a0d911eb3c633ee5) ---- - src/svg/qsvghandler.cpp | 19 ++++++++++++++++--- - tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp | 14 ++++++++++++++ - 2 files changed, 30 insertions(+), 3 deletions(-) - -diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp -index ba894bc..bfacd56 100644 ---- a/src/svg/qsvghandler.cpp -+++ b/src/svg/qsvghandler.cpp -@@ -728,15 +728,25 @@ static QVector<qreal> parseNumbersList(const QChar *&str) - return points; - } - --static inline void parseNumbersArray(const QChar *&str, QVarLengthArray<qreal, 8> &points) -+static inline void parseNumbersArray(const QChar *&str, QVarLengthArray<qreal, 8> &points, -+ const char *pattern = nullptr) - { -+ const size_t patternLen = qstrlen(pattern); - while (str->isSpace()) - ++str; - while (isDigit(str->unicode()) || - *str == QLatin1Char('-') || *str == QLatin1Char('+') || - *str == QLatin1Char('.')) { - -- points.append(toDouble(str)); -+ if (patternLen && pattern[points.size() % patternLen] == 'f') { -+ // flag expected, may only be 0 or 1 -+ if (*str != QLatin1Char('0') && *str != QLatin1Char('1')) -+ return; -+ points.append(*str == QLatin1Char('0') ? 0.0 : 1.0); -+ ++str; -+ } else { -+ points.append(toDouble(str)); -+ } - - while (str->isSpace()) - ++str; -@@ -1631,8 +1641,11 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - ++str; - QChar endc = *end; - *const_cast<QChar *>(end) = 0; // parseNumbersArray requires 0-termination that QStringRef cannot guarantee -+ const char *pattern = nullptr; -+ if (pathElem == QLatin1Char('a') || pathElem == QLatin1Char('A')) -+ pattern = "rrrffrr"; - QVarLengthArray<qreal, 8> arg; -- parseNumbersArray(str, arg); -+ parseNumbersArray(str, arg, pattern); - *const_cast<QChar *>(end) = endc; - if (pathElem == QLatin1Char('z') || pathElem == QLatin1Char('Z')) - arg.append(0);//dummy -diff --git a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp -index 8f1f03b..36c76ec 100644 ---- a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp -+++ b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp -@@ -74,6 +74,7 @@ private slots: - void fillRule(); - void opacity(); - void paths(); -+ void paths2(); - void displayMode(); - void strokeInherit(); - void testFillInheritance(); -@@ -1047,6 +1048,19 @@ void tst_QSvgRenderer::paths() - } - } - -+void tst_QSvgRenderer::paths2() -+{ -+ const char *svg = -+ "<svg xmlns=\"http://www.w3.org/2000/svg\" width=\"16\" height=\"16\">" -+ "<path d=\"M 3 8 A 5 5 0 1013 8\" id=\"path1\"/>" -+ "</svg>"; -+ -+ QByteArray data(svg); -+ QSvgRenderer renderer(data); -+ QVERIFY(renderer.isValid()); -+ QCOMPARE(renderer.boundsOnElement(QLatin1String("path1")).toRect(), QRect(3, 8, 10, 5)); -+} -+ - void tst_QSvgRenderer::displayMode() - { - static const char *svgs[] = { --- -2.36.0 +2.49.0 -From 8145bccbefe00a5daffd60c4e9fc11f551018df1 Mon Sep 17 00:00:00 2001 +From 45d600c4f73ae4cdc4cd87f622d680375ba7f573 Mon Sep 17 00:00:00 2001 From: Allan Sandfeld Jensen <allan.jensen@qt.io> Date: Fri, 5 Mar 2021 12:52:36 +0100 -Subject: [PATCH 06/10] Improve parsing of "r" +Subject: [PATCH 4/5] Improve parsing of "r" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -256,10 +121,10 @@ Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io> 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp -index bfacd56..9575f14 100644 +index 836f9a65..222b6d89 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp -@@ -2585,6 +2585,8 @@ static QSvgNode *createCircleNode(QSvgNode *parent, +@@ -2579,6 +2579,8 @@ static QSvgNode *createCircleNode(QSvgNode *parent, qreal ncx = toDouble(cx); qreal ncy = toDouble(cy); qreal nr = toDouble(r); @@ -268,7 +133,7 @@ index bfacd56..9575f14 100644 QRectF rect(ncx-nr, ncy-nr, nr*2, nr*2); QSvgNode *circle = new QSvgCircle(parent, rect); -@@ -3055,15 +3057,16 @@ static QSvgStyleProperty *createRadialGradientNode(QSvgNode *node, +@@ -3049,15 +3051,16 @@ static QSvgStyleProperty *createRadialGradientNode(QSvgNode *node, qreal ncx = 0.5; qreal ncy = 0.5; @@ -289,353 +154,12 @@ index bfacd56..9575f14 100644 qreal nfx = ncx; if (!fx.isEmpty()) -- -2.36.0 - -From 4469006285be9994f7b8ab4587f089716f59ebb9 Mon Sep 17 00:00:00 2001 -From: Eirik Aavitsland <eirik.aavitsland@qt.io> -Date: Fri, 2 Jul 2021 16:09:30 +0200 -Subject: [PATCH 07/10] Fix parsing of animation clock values - -Color animation duration parsing mixed seconds and milliseconds. - -Factor out a common function for all clock value parsing, and -add checking for overflow and illegal values as a driveby.. - -Fixes: QTBUG-94878 -Pick-to: 6.2 6.1 5.15 -Change-Id: Ie1d974cd2db55a3d65d7ce02c373021021070489 -Reviewed-by: Paul Olav Tvete <paul.tvete@qt.io> -(cherry picked from commit 1da0a668e52994832d8a048772bed65b61cb0e9b) ---- - src/svg/qsvghandler.cpp | 70 ++++++++++++++++++++--------------------- - 1 file changed, 35 insertions(+), 35 deletions(-) - -diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp -index 9575f14..b542089 100644 ---- a/src/svg/qsvghandler.cpp -+++ b/src/svg/qsvghandler.cpp -@@ -2373,6 +2373,27 @@ static bool parseAnimateNode(QSvgNode *parent, - return true; - } - -+static int parseClockValue(QString str, bool *ok) -+{ -+ int res = 0; -+ int ms = 1000; -+ str = str.trimmed(); -+ if (str.endsWith(QLatin1String("ms"))) { -+ str.chop(2); -+ ms = 1; -+ } else if (str.endsWith(QLatin1String("s"))) { -+ str.chop(1); -+ } -+ double val = ms * toDouble(str, ok); -+ if (ok) { -+ if (val > std::numeric_limits<int>::min() && val < std::numeric_limits<int>::max()) -+ res = static_cast<int>(val); -+ else -+ *ok = false; -+ } -+ return res; -+} -+ - static bool parseAnimateColorNode(QSvgNode *parent, - const QXmlStreamAttributes &attributes, - QSvgHandler *handler) -@@ -2406,23 +2427,13 @@ static bool parseAnimateColorNode(QSvgNode *parent, - } - } - -- int ms = 1000; -- beginStr = beginStr.trimmed(); -- if (beginStr.endsWith(QLatin1String("ms"))) { -- beginStr.chop(2); -- ms = 1; -- } else if (beginStr.endsWith(QLatin1String("s"))) { -- beginStr.chop(1); -- } -- durStr = durStr.trimmed(); -- if (durStr.endsWith(QLatin1String("ms"))) { -- durStr.chop(2); -- ms = 1; -- } else if (durStr.endsWith(QLatin1String("s"))) { -- durStr.chop(1); -- } -- int begin = static_cast<int>(toDouble(beginStr) * ms); -- int end = static_cast<int>((toDouble(durStr) + begin) * ms); -+ bool ok = true; -+ int begin = parseClockValue(beginStr, &ok); -+ if (!ok) -+ return false; -+ int end = begin + parseClockValue(durStr, &ok); -+ if (!ok || end <= begin) -+ return false; - - QSvgAnimateColor *anim = new QSvgAnimateColor(begin, end, 0); - anim->setArgs((targetStr == QLatin1String("fill")), colors); -@@ -2512,24 +2523,13 @@ static bool parseAnimateTransformNode(QSvgNode *parent, - } - } - -- int ms = 1000; -- beginStr = beginStr.trimmed(); -- if (beginStr.endsWith(QLatin1String("ms"))) { -- beginStr.chop(2); -- ms = 1; -- } else if (beginStr.endsWith(QLatin1String("s"))) { -- beginStr.chop(1); -- } -- int begin = static_cast<int>(toDouble(beginStr) * ms); -- durStr = durStr.trimmed(); -- if (durStr.endsWith(QLatin1String("ms"))) { -- durStr.chop(2); -- ms = 1; -- } else if (durStr.endsWith(QLatin1String("s"))) { -- durStr.chop(1); -- ms = 1000; -- } -- int end = static_cast<int>(toDouble(durStr)*ms) + begin; -+ bool ok = true; -+ int begin = parseClockValue(beginStr, &ok); -+ if (!ok) -+ return false; -+ int end = begin + parseClockValue(durStr, &ok); -+ if (!ok || end <= begin) -+ return false; - - QSvgAnimateTransform::TransformType type = QSvgAnimateTransform::Empty; - if (typeStr == QLatin1String("translate")) { --- -2.36.0 - -From 53ada351e2e8ac14d2e428813e959689ca6fe583 Mon Sep 17 00:00:00 2001 -From: Eirik Aavitsland <eirik.aavitsland@qt.io> -Date: Mon, 25 Oct 2021 14:17:55 +0200 -Subject: [PATCH 08/10] Do stricter error checking when parsing path nodes -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The SVG spec mandates that path parsing should terminate on the first -error encountered, and an error be reported. To improve the handling -of corrupt files, implement such error handling, and also limit the -number of QPainterPath elements to a reasonable range. - -Fixes: QTBUG-96044 -Pick-to: 6.2 5.15 5.12 -Change-Id: Ic5e65d6b658516d6f1317c72de365c8c7ad81891 -Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> -Reviewed-by: Robert Löhning <robert.loehning@qt.io> -(cherry picked from commit 36cfd9efb9b22b891adee9c48d30202289cfa620) ---- - src/svg/qsvghandler.cpp | 59 +++++++++++++++++------------------------ - 1 file changed, 25 insertions(+), 34 deletions(-) - -diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp -index b542089..2ea80ed 100644 ---- a/src/svg/qsvghandler.cpp -+++ b/src/svg/qsvghandler.cpp -@@ -1627,6 +1627,7 @@ static void pathArc(QPainterPath &path, - - static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - { -+ const int maxElementCount = 0x7fff; // Assume file corruption if more path elements than this - qreal x0 = 0, y0 = 0; // starting point - qreal x = 0, y = 0; // current point - char lastMode = 0; -@@ -1634,7 +1635,8 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - const QChar *str = dataStr.constData(); - const QChar *end = str + dataStr.size(); - -- while (str != end) { -+ bool ok = true; -+ while (ok && str != end) { - while (str->isSpace() && (str + 1) != end) - ++str; - QChar pathElem = *str; -@@ -1651,14 +1653,13 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - arg.append(0);//dummy - const qreal *num = arg.constData(); - int count = arg.count(); -- while (count > 0) { -+ while (ok && count > 0) { - qreal offsetX = x; // correction offsets - qreal offsetY = y; // for relative commands - switch (pathElem.unicode()) { - case 'm': { - if (count < 2) { -- num++; -- count--; -+ ok = false; - break; - } - x = x0 = num[0] + offsetX; -@@ -1675,8 +1676,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - break; - case 'M': { - if (count < 2) { -- num++; -- count--; -+ ok = false; - break; - } - x = x0 = num[0]; -@@ -1702,8 +1702,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - break; - case 'l': { - if (count < 2) { -- num++; -- count--; -+ ok = false; - break; - } - x = num[0] + offsetX; -@@ -1716,8 +1715,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - break; - case 'L': { - if (count < 2) { -- num++; -- count--; -+ ok = false; - break; - } - x = num[0]; -@@ -1757,8 +1755,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - break; - case 'c': { - if (count < 6) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c1(num[0] + offsetX, num[1] + offsetY); -@@ -1774,8 +1771,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 'C': { - if (count < 6) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c1(num[0], num[1]); -@@ -1791,8 +1787,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 's': { - if (count < 4) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c1; -@@ -1813,8 +1808,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 'S': { - if (count < 4) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c1; -@@ -1835,8 +1829,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 'q': { - if (count < 4) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c(num[0] + offsetX, num[1] + offsetY); -@@ -1851,8 +1844,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 'Q': { - if (count < 4) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF c(num[0], num[1]); -@@ -1867,8 +1859,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 't': { - if (count < 2) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF e(num[0] + offsetX, num[1] + offsetY); -@@ -1888,8 +1879,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 'T': { - if (count < 2) { -- num += count; -- count = 0; -+ ok = false; - break; - } - QPointF e(num[0], num[1]); -@@ -1909,8 +1899,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - case 'a': { - if (count < 7) { -- num += count; -- count = 0; -+ ok = false; - break; - } - qreal rx = (*num++); -@@ -1932,8 +1921,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - break; - case 'A': { - if (count < 7) { -- num += count; -- count = 0; -+ ok = false; - break; - } - qreal rx = (*num++); -@@ -1954,12 +1942,15 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) - } - break; - default: -- return false; -+ ok = false; -+ break; - } - lastMode = pathElem.toLatin1(); -+ if (path.elementCount() > maxElementCount) -+ ok = false; - } - } -- return true; -+ return ok; - } - - static bool parseStyle(QSvgNode *node, -@@ -2997,8 +2988,8 @@ static QSvgNode *createPathNode(QSvgNode *parent, - - QPainterPath qpath; - qpath.setFillRule(Qt::WindingFill); -- //XXX do error handling -- parsePathDataFast(data, qpath); -+ if (!parsePathDataFast(data, qpath)) -+ qCWarning(lcSvgHandler, "Invalid path data; path truncated."); - - QSvgNode *path = new QSvgPath(parent, qpath); - return path; --- -2.36.0 +2.49.0 -From 41ab201cd44e4f0c7f6d22fca862d5650bf574ee Mon Sep 17 00:00:00 2001 +From 9c149213f46b844607cf7db8f800d906db3a682f Mon Sep 17 00:00:00 2001 From: Eirik Aavitsland <eirik.aavitsland@qt.io> Date: Mon, 25 Oct 2021 14:43:09 +0200 -Subject: [PATCH 09/10] SVG Image reading: Reject oversize svgs as corrupt +Subject: [PATCH 5/5] SVG Image reading: Reject oversize svgs as corrupt MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -656,10 +180,10 @@ asturmlechner 2022-01-03: resolve conflict with preceding dev branch 1 file changed, 2 insertions(+) diff --git a/src/plugins/imageformats/svg/qsvgiohandler.cpp b/src/plugins/imageformats/svg/qsvgiohandler.cpp -index 4136aaf..fd3529a 100644 +index 561e77e9..12e05748 100644 --- a/src/plugins/imageformats/svg/qsvgiohandler.cpp +++ b/src/plugins/imageformats/svg/qsvgiohandler.cpp -@@ -189,6 +189,8 @@ bool QSvgIOHandler::read(QImage *image) +@@ -191,6 +191,8 @@ bool QSvgIOHandler::read(QImage *image) } } if (!finalSize.isEmpty()) { @@ -669,48 +193,5 @@ index 4136aaf..fd3529a 100644 QPainter p(image); d->r.render(&p, bounds); -- -2.36.0 - -From 23b8cf7d833c335d7735855570c05e9e0893a9b7 Mon Sep 17 00:00:00 2001 -From: Eirik Aavitsland <eirik.aavitsland@qt.io> -Date: Wed, 5 Jan 2022 09:48:22 +0100 -Subject: [PATCH 10/10] Unconditionally stop parsing after the svg end tag -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -A QSvghandler may be created either with an external QXmlStreamReader -object, or with a bytearray/iodevice, in which case it will create its -own stream reader. The check to end parisng at the </svg> tag was -active only in the first case. This could result in different behavior -when reading an svg image from file vs. reading it from a bytearray -or resource. - -Fixes: QTBUG-99407 -Pick-to: 6.3 6.2 5.15 -Change-Id: I187b39256f2b16ea952a3ae1b77c067ff96e4155 -Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> -Reviewed-by: Robert Löhning <robert.loehning@qt.io> -(cherry picked from commit 1749388cdc765fca4206aaf0f84ac9b0877dfc9a) ---- - src/svg/qsvghandler.cpp | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp -index 2ea80ed..f2653af 100644 ---- a/src/svg/qsvghandler.cpp -+++ b/src/svg/qsvghandler.cpp -@@ -3696,9 +3696,7 @@ void QSvgHandler::parse() - case QXmlStreamReader::EndElement: - endElement(xml->name()); - ++remainingUnfinishedElements; -- // if we are using somebody else's qxmlstreamreader -- // we should not read until the end of the stream -- done = !m_ownsReader && (xml->name() == QLatin1String("svg")); -+ done = (xml->name() == QLatin1String("svg")); - break; - case QXmlStreamReader::Characters: - characters(xml->text()); --- -2.36.0 +2.49.0 |