From 6cfdfad7d41a7e452fa53495d9843c5d67e74946 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9rgio=20Martins?= <sergio.martins@kdab.com>
Date: Mon, 17 Oct 2016 23:16:15 +0100
Subject: Don't crash while parsing malformed CSS

Task-Id: QTBUG-53919
Change-Id: I31a0e218e4e41ee217f8f87164f115450d69d42c
Reviewed-by: Olivier Goffart (Woboq GmbH) <ogoffart@woboq.com>
---
 src/gui/text/qcssparser.cpp                       | 9 +++++++--
 tests/auto/gui/text/qcssparser/tst_qcssparser.cpp | 1 +
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/gui/text/qcssparser.cpp b/src/gui/text/qcssparser.cpp
index 65b468ece4..e96aecdf68 100644
--- a/src/gui/text/qcssparser.cpp
+++ b/src/gui/text/qcssparser.cpp
@@ -739,8 +739,9 @@ static ColorData parseColorValue(QCss::Value v)
     QVector<QCss::Value> colorDigits;
     if (!p.parseExpr(&colorDigits))
         return ColorData();
+    const int tokenCount = colorDigits.count();
 
-    for (int i = 0; i < qMin(colorDigits.count(), 7); i += 2) {
+    for (int i = 0; i < qMin(tokenCount, 7); i += 2) {
         if (colorDigits.at(i).type == Value::Percentage) {
             colorDigits[i].variant = colorDigits.at(i).variant.toReal() * (255. / 100.);
             colorDigits[i].type = Value::Number;
@@ -749,11 +750,15 @@ static ColorData parseColorValue(QCss::Value v)
         }
     }
 
+
+    if (tokenCount < 5)
+        return ColorData();
+
     int v1 = colorDigits.at(0).variant.toInt();
     int v2 = colorDigits.at(2).variant.toInt();
     int v3 = colorDigits.at(4).variant.toInt();
     int alpha = 255;
-    if (colorDigits.count() >= 7) {
+    if (tokenCount >= 7) {
         int alphaValue = colorDigits.at(6).variant.toInt();
         if (rgba && alphaValue <= 1)
             alpha = colorDigits.at(6).variant.toReal() * 255.;
diff --git a/tests/auto/gui/text/qcssparser/tst_qcssparser.cpp b/tests/auto/gui/text/qcssparser/tst_qcssparser.cpp
index b1beb0ffd0..d283f7d9cc 100644
--- a/tests/auto/gui/text/qcssparser/tst_qcssparser.cpp
+++ b/tests/auto/gui/text/qcssparser/tst_qcssparser.cpp
@@ -847,6 +847,7 @@ void tst_QCssParser::colorValue_data()
     QTest::newRow("hsla") << "color: hsva(10, 20, 30, 40)" << QColor::fromHsv(10, 20, 30, 40);
     QTest::newRow("invalid1") << "color: rgb(why, does, it, always, rain, on, me)" << QColor();
     QTest::newRow("invalid2") << "color: rgba(i, meant, norway)" << QColor();
+    QTest::newRow("invalid3") << "color: rgb(21)" << QColor();
     QTest::newRow("role") << "color: palette(base)" << qApp->palette().color(QPalette::Base);
     QTest::newRow("role2") << "color: palette( window-text ) " << qApp->palette().color(QPalette::WindowText);
     QTest::newRow("transparent") << "color: transparent" << QColor(Qt::transparent);
-- 
cgit v1.2.3