Sanitize lengthValue in CSS parser

Limit the LengthData to the integer range before rounding it, taking into account that qRound() substracts 1 from negative values. Fixes: oss-fuzz-23220 Pick-to: 5.15 5.12 Change-Id: I1b4383f3c33aac22746831002b2c74fc134faf77 Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
author: Robert Loehning <robert.loehning@qt.io> 2020-07-16 21:14:58 +0200
committer: Robert Loehning <robert.loehning@qt.io> 2020-07-27 12:29:55 +0200
commit: 188501fe27899cdc6a1aacf0d8c1a11144bd564a (patch)
tree: a89211b517762e3f4e20a09aac666a052637411c /src
parent: 899a7e91586dc8de6bb0532a05e0af43a8c5b65a (diff)
1 files changed, 4 insertions, 5 deletions
diff --git a/src/gui/text/qcssparser.cpp b/src/gui/text/qcssparser.cpp
index b6b1d63384..405ed94064 100644
--- a/src/gui/text/qcssparser.cpp
+++ b/src/gui/text/qcssparser.cpp
@@ -426,11 +426,10 @@ LengthData ValueExtractor::lengthValue(const Value& v)
 
 static int lengthValueFromData(const LengthData& data, const QFont& f)
 {
-    if (data.unit == LengthData::Ex)
-        return qRound(QFontMetrics(f).xHeight() * data.number);
-    else if (data.unit == LengthData::Em)
-        return qRound(QFontMetrics(f).height() * data.number);
-    return qRound(data.number);
+    const int scale = (data.unit == LengthData::Ex ? QFontMetrics(f).xHeight()
+                      : data.unit == LengthData::Em ? QFontMetrics(f).height() : 1);
+    // raised lower limit due to the implementation of qRound()
+    return qRound(qBound(double(INT_MIN) + 0.1, scale * data.number, double(INT_MAX)));
 }
 
 int ValueExtractor::lengthValue(const Declaration &decl)
author	Robert Loehning <robert.loehning@qt.io>	2020-07-16 21:14:58 +0200
committer	Robert Loehning <robert.loehning@qt.io>	2020-07-27 12:29:55 +0200
commit	188501fe27899cdc6a1aacf0d8c1a11144bd564a (patch)
tree	a89211b517762e3f4e20a09aac666a052637411c /src
parent	899a7e91586dc8de6bb0532a05e0af43a8c5b65a (diff)