diff options
author | Eirik Aavitsland <eirik.aavitsland@qt.io> | 2018-07-09 10:45:22 +0200 |
---|---|---|
committer | Eirik Aavitsland <eirik.aavitsland@qt.io> | 2018-08-09 07:44:50 +0000 |
commit | c5f1dd14098d1cc2cb52448fb44f53966d331443 (patch) | |
tree | 454418e16d86160adf8f4d1f12b0a42589d06a47 | |
parent | 1167507b6422cd74a95cf0deffaccada9345dc27 (diff) |
Fix crash when parsing malformed url reference5.6
The parsing did not check for end of input.
Change-Id: I56a478877d242146395977b767511425d2b8ced1
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
(cherry picked from commit 8c199714e9bc638fb3f6ec747fb7a23373e49335)
(cherry picked from commit 97eebc52a8362f8b841e24ad0e4d54315d1948e3)
-rw-r--r-- | src/svg/qsvghandler.cpp | 11 | ||||
-rw-r--r-- | tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp | 26 |
2 files changed, 32 insertions, 5 deletions
diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp index 036b870..0cbf139 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp @@ -733,16 +733,17 @@ static QVector<qreal> parsePercentageList(const QChar *&str) static QString idFromUrl(const QString &url) { QString::const_iterator itr = url.constBegin(); - while ((*itr).isSpace()) + QString::const_iterator end = url.constEnd(); + while (itr != end && (*itr).isSpace()) ++itr; - if ((*itr) == QLatin1Char('(')) + if (itr != end && (*itr) == QLatin1Char('(')) ++itr; - while ((*itr).isSpace()) + while (itr != end && (*itr).isSpace()) ++itr; - if ((*itr) == QLatin1Char('#')) + if (itr != end && (*itr) == QLatin1Char('#')) ++itr; QString id; - while ((*itr) != QLatin1Char(')')) { + while (itr != end && (*itr) != QLatin1Char(')')) { id += *itr; ++itr; } diff --git a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp index c272ef7..e974900 100644 --- a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp +++ b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp @@ -59,6 +59,8 @@ private slots: void getSetCheck(); void inexistentUrl(); void emptyUrl(); + void invalidUrl_data(); + void invalidUrl(); void testStrokeWidth(); void testMapViewBoxToTarget(); void testRenderElement(); @@ -137,6 +139,30 @@ void tst_QSvgRenderer::emptyUrl() QVERIFY(renderer.isValid()); } +void tst_QSvgRenderer::invalidUrl_data() +{ + QTest::addColumn<QByteArray>("svg"); + + QTest::newRow("00") << QByteArray("<svg><circle fill=\"url\" /></svg>"); + QTest::newRow("01") << QByteArray("<svg><circle fill=\"url0\" /></svg>"); + QTest::newRow("02") << QByteArray("<svg><circle fill=\"url(0\" /></svg>"); + QTest::newRow("03") << QByteArray("<svg><circle fill=\"url (0\" /></svg>"); + QTest::newRow("04") << QByteArray("<svg><circle fill=\"url ( 0\" /></svg>"); + QTest::newRow("05") << QByteArray("<svg><circle fill=\"url#\" /></svg>"); + QTest::newRow("06") << QByteArray("<svg><circle fill=\"url#(\" /></svg>"); + QTest::newRow("07") << QByteArray("<svg><circle fill=\"url(#\" /></svg>"); + QTest::newRow("08") << QByteArray("<svg><circle fill=\"url(# \" /></svg>"); + QTest::newRow("09") << QByteArray("<svg><circle fill=\"url(# 0\" /></svg>"); +} + +void tst_QSvgRenderer::invalidUrl() +{ + QFETCH(QByteArray, svg); + + QSvgRenderer renderer(svg); + QVERIFY(renderer.isValid()); +} + void tst_QSvgRenderer::testStrokeWidth() { qreal squareSize = 30.0; |