diff options
author | Robert Loehning <robert.loehning@qt.io> | 2020-07-16 21:14:58 +0200 |
---|---|---|
committer | Robert Loehning <robert.loehning@qt.io> | 2020-07-27 12:29:55 +0200 |
commit | 188501fe27899cdc6a1aacf0d8c1a11144bd564a (patch) | |
tree | a89211b517762e3f4e20a09aac666a052637411c /src | |
parent | 899a7e91586dc8de6bb0532a05e0af43a8c5b65a (diff) |
Sanitize lengthValue in CSS parser
Limit the LengthData to the integer range before rounding it, taking
into account that qRound() substracts 1 from negative values.
Fixes: oss-fuzz-23220
Pick-to: 5.15 5.12
Change-Id: I1b4383f3c33aac22746831002b2c74fc134faf77
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Diffstat (limited to 'src')
-rw-r--r-- | src/gui/text/qcssparser.cpp | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/src/gui/text/qcssparser.cpp b/src/gui/text/qcssparser.cpp index b6b1d63384..405ed94064 100644 --- a/src/gui/text/qcssparser.cpp +++ b/src/gui/text/qcssparser.cpp @@ -426,11 +426,10 @@ LengthData ValueExtractor::lengthValue(const Value& v) static int lengthValueFromData(const LengthData& data, const QFont& f) { - if (data.unit == LengthData::Ex) - return qRound(QFontMetrics(f).xHeight() * data.number); - else if (data.unit == LengthData::Em) - return qRound(QFontMetrics(f).height() * data.number); - return qRound(data.number); + const int scale = (data.unit == LengthData::Ex ? QFontMetrics(f).xHeight() + : data.unit == LengthData::Em ? QFontMetrics(f).height() : 1); + // raised lower limit due to the implementation of qRound() + return qRound(qBound(double(INT_MIN) + 0.1, scale * data.number, double(INT_MAX))); } int ValueExtractor::lengthValue(const Declaration &decl) |