diff options
| author | Robert Loehning <robert.loehning@qt.io> | 2020-07-16 21:14:58 +0200 |
|---|---|---|
| committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2020-07-27 17:32:50 +0000 |
| commit | 81cd63dc293ef577621c04b0b5889017c1bf2011 (patch) | |
| tree | e93d635722666185e15785aba6daa0acd3a557bc /src/gui | |
| parent | 3cb77ed5e7a840a98bd6b3e79cb2110f94c5573e (diff) | |
Sanitize lengthValue in CSS parser
Limit the LengthData to the integer range before rounding it, taking
into account that qRound() substracts 1 from negative values.
Fixes: oss-fuzz-23220
Change-Id: I1b4383f3c33aac22746831002b2c74fc134faf77
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
(cherry picked from commit 188501fe27899cdc6a1aacf0d8c1a11144bd564a)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
Diffstat (limited to 'src/gui')
| -rw-r--r-- | src/gui/text/qcssparser.cpp | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/src/gui/text/qcssparser.cpp b/src/gui/text/qcssparser.cpp index b1d353a43b..663f727145 100644 --- a/src/gui/text/qcssparser.cpp +++ b/src/gui/text/qcssparser.cpp @@ -426,11 +426,10 @@ LengthData ValueExtractor::lengthValue(const Value& v) static int lengthValueFromData(const LengthData& data, const QFont& f) { - if (data.unit == LengthData::Ex) - return qRound(QFontMetrics(f).xHeight() * data.number); - else if (data.unit == LengthData::Em) - return qRound(QFontMetrics(f).height() * data.number); - return qRound(data.number); + const int scale = (data.unit == LengthData::Ex ? QFontMetrics(f).xHeight() + : data.unit == LengthData::Em ? QFontMetrics(f).height() : 1); + // raised lower limit due to the implementation of qRound() + return qRound(qBound(double(INT_MIN) + 0.1, scale * data.number, double(INT_MAX))); } int ValueExtractor::lengthValue(const Declaration &decl) |