Guard against null pointer deref

Credit to OSS-Fuzz. This fixes issue 61586.

Fixes: QTBUG-125065
Pick-to: 6.7
Change-Id: Ia8773cee99380fa865262b42d9a8e938d9e794ae
Reviewed-by: Hatem ElKharashy <hatem.elkharashy@qt.io>
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>

2 files changed, 12 insertions, 3 deletions

diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
index c49d3a7..9db7d64 100644
--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -1350,9 +1350,11 @@ static void parseFont(QSvgNode *node,
     QSvgTinyDocument *doc = node->document();
     QSvgFontStyle *fontStyle = nullptr;
     if (!attributes.fontFamily.isEmpty()) {
-        QSvgFont *svgFont = doc->svgFont(attributes.fontFamily.toString());
-        if (svgFont)
-            fontStyle = new QSvgFontStyle(svgFont, doc);
+        if (doc) {
+            QSvgFont *svgFont = doc->svgFont(attributes.fontFamily.toString());
+            if (svgFont)
+                fontStyle = new QSvgFontStyle(svgFont, doc);
+        }
     }
     if (!fontStyle)
         fontStyle = new QSvgFontStyle;
diff --git a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
index 2c8368b..31381df 100644
--- a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
+++ b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
@@ -61,6 +61,7 @@ private slots:
     void oss_fuzz_23731();
     void oss_fuzz_24131();
     void oss_fuzz_24738();
+    void oss_fuzz_61586();
     void imageRendering();
     void illegalAnimateTransform_data();
     void illegalAnimateTransform();
@@ -1668,6 +1669,12 @@ void tst_QSvgRenderer::oss_fuzz_24738()
     QSvgRenderer().load(QByteArray("<svg><path d=\"a 2 1e-212.....\">"));
 }
 
+void tst_QSvgRenderer::oss_fuzz_61586()
+{
+    // resulted in null pointer deref
+    QSvgRenderer().load(QByteArray("<svg><style>*{font-family:q}<linearGradient><stop>"));
+}
+
 QByteArray image_data_url(QImage &image) {
     QByteArray data;
     QBuffer buffer(&data);