From 62ad7cfc0290d2723e7c0afacfb7dbee6a1b0293 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20L=C3=B6hning?= Date: Wed, 17 Feb 2021 19:20:42 +0100 Subject: [PATCH 1/5] Avoid buffer overflow in isSupportedSvgFeature Fixes oss-fuzz issue 29873. Pick-to: 6.0 6.1 Change-Id: I382683aa2d7d3cf2d05a0b8c41ebf21d032fbd7c Reviewed-by: Eirik Aavitsland (cherry picked from commit afde7ca3a40f524e40052df696f74190452b22cb) --- src/svg/qsvgstructure.cpp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/svg/qsvgstructure.cpp b/src/svg/qsvgstructure.cpp index b89608b5..89c9e4ec 100644 --- a/src/svg/qsvgstructure.cpp +++ b/src/svg/qsvgstructure.cpp @@ -255,9 +255,13 @@ inline static bool isSupportedSvgFeature(const QString &str) }; if (str.length() <= MAX_WORD_LENGTH && str.length() >= MIN_WORD_LENGTH) { + const char16_t unicode44 = str.at(44).unicode(); + const char16_t unicode45 = str.at(45).unicode(); + if (unicode44 >= sizeof(asso_values) || unicode45 >= sizeof(asso_values)) + return false; const int key = str.length() - + asso_values[str.at(45).unicode()] - + asso_values[str.at(44).unicode()]; + + asso_values[unicode45] + + asso_values[unicode44]; if (key <= MAX_HASH_VALUE && key >= 0) return str == QLatin1String(wordlist[key]); } -- 2.49.0 From 8d0ba96f68d8bf4ae2c6139ac88a026965bc6ef2 Mon Sep 17 00:00:00 2001 From: Albert Astals Cid Date: Mon, 11 Oct 2021 11:13:57 +0200 Subject: [PATCH 2/5] Support font size not in pixels Fixes: QTBUG-97422 Pick-to: 6.2 Change-Id: I4df2af0e657f241af69480e6e30d454870df51d8 Reviewed-by: Eirik Aavitsland (cherry picked from commit 4531aad935d55924a32212b339c657ce363a6c08) --- src/svg/qsvghandler.cpp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp index dd9b7164..f37bf42e 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp @@ -1393,9 +1393,10 @@ static void parseFont(QSvgNode *node, case FontSizeNone: break; case FontSizeValue: { - QSvgHandler::LengthType dummy; // should always be pixel size - fontStyle->setSize(qMin(parseLength(attributes.fontSize, dummy, handler), - qreal(0xffff))); + QSvgHandler::LengthType type; + qreal fs = parseLength(attributes.fontSize, type, handler); + fs = convertToPixels(fs, true, type); + fontStyle->setSize(qMin(fs, qreal(0xffff))); } break; default: -- 2.49.0 From 1342b53893ed984198d0664db491e3f4e353b405 Mon Sep 17 00:00:00 2001 From: Albert Astals Cid Date: Mon, 11 Oct 2021 11:11:26 +0200 Subject: [PATCH 3/5] Fix text x/y when the length is not in pixels Fixes: QTBUG-97421 Pick-to: 6.2 Change-Id: I41f3cbf8e747530a67fe5074a988ba49aeb43b8e Reviewed-by: Eirik Aavitsland (cherry picked from commit fc1e1878743bcaac0c81a4748a00d0042cc15815) --- src/svg/qsvghandler.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp index f37bf42e..836f9a65 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp @@ -3353,7 +3353,9 @@ static QSvgNode *createTextNode(QSvgNode *parent, //### editable and rotate not handled QSvgHandler::LengthType type; qreal nx = parseLength(x, type, handler); + nx = convertToPixels(nx, true, type); qreal ny = parseLength(y, type, handler); + ny = convertToPixels(ny, true, type); QSvgNode *text = new QSvgText(parent, QPointF(nx, ny)); return text; -- 2.49.0 From 45d600c4f73ae4cdc4cd87f622d680375ba7f573 Mon Sep 17 00:00:00 2001 From: Allan Sandfeld Jensen Date: Fri, 5 Mar 2021 12:52:36 +0100 Subject: [PATCH 4/5] Improve parsing of "r" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Negative r values are illegal, and zero means empty for circles. Pick-to: 6.1 Change-Id: Icb1d932f35909f71dafe1ee69eb2250eeb1bb2ad Reviewed-by: Mårten Nordheim (cherry picked from commit 4a88e194e6b243e83703ad83d95e49b2febed99e) --- src/svg/qsvghandler.cpp | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp index 836f9a65..222b6d89 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp @@ -2579,6 +2579,8 @@ static QSvgNode *createCircleNode(QSvgNode *parent, qreal ncx = toDouble(cx); qreal ncy = toDouble(cy); qreal nr = toDouble(r); + if (nr < 0.0) + return nullptr; QRectF rect(ncx-nr, ncy-nr, nr*2, nr*2); QSvgNode *circle = new QSvgCircle(parent, rect); @@ -3049,15 +3051,16 @@ static QSvgStyleProperty *createRadialGradientNode(QSvgNode *node, qreal ncx = 0.5; qreal ncy = 0.5; - qreal nr = 0.5; if (!cx.isEmpty()) ncx = toDouble(cx); if (!cy.isEmpty()) ncy = toDouble(cy); + + qreal nr = 0.0; if (!r.isEmpty()) nr = toDouble(r); - if (nr < 0.5) - nr = 0.5; + if (nr <= 0.0) + return nullptr; qreal nfx = ncx; if (!fx.isEmpty()) -- 2.49.0 From 9c149213f46b844607cf7db8f800d906db3a682f Mon Sep 17 00:00:00 2001 From: Eirik Aavitsland Date: Mon, 25 Oct 2021 14:43:09 +0200 Subject: [PATCH 5/5] SVG Image reading: Reject oversize svgs as corrupt MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add an upper limit for height and width at 0xffff, same as jpeg. Fixes: QTBUG-95891 Pick-to: 6.2 5.15 5.12 Change-Id: I0dbc80dab3aab9b4743548772fb63fa69ea21f8a Reviewed-by: Robert Löhning Reviewed-by: Allan Sandfeld Jensen (cherry picked from commit e544d8e457d52b543cae5c988f81237c7d6608da) asturmlechner 2022-01-03: resolve conflict with preceding dev branch commit 0003ec68e9925a8386eb055e0030fe7f270aa56f. --- src/plugins/imageformats/svg/qsvgiohandler.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/plugins/imageformats/svg/qsvgiohandler.cpp b/src/plugins/imageformats/svg/qsvgiohandler.cpp index 561e77e9..12e05748 100644 --- a/src/plugins/imageformats/svg/qsvgiohandler.cpp +++ b/src/plugins/imageformats/svg/qsvgiohandler.cpp @@ -191,6 +191,8 @@ bool QSvgIOHandler::read(QImage *image) } } if (!finalSize.isEmpty()) { + if (qMax(finalSize.width(), finalSize.height()) > 0xffff) + return false; // Assume corrupted file image->fill(d->backColor.rgba()); QPainter p(image); d->r.render(&p, bounds); -- 2.49.0