From 6cfdfad7d41a7e452fa53495d9843c5d67e74946 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9rgio=20Martins?= <sergio.martins@kdab.com>
Date: Mon, 17 Oct 2016 23:16:15 +0100
Subject: Don't crash while parsing malformed CSS

Task-Id: QTBUG-53919
Change-Id: I31a0e218e4e41ee217f8f87164f115450d69d42c
Reviewed-by: Olivier Goffart (Woboq GmbH) <ogoffart@woboq.com>
---
 src/gui/text/qcssparser.cpp | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'src/gui')

diff --git a/src/gui/text/qcssparser.cpp b/src/gui/text/qcssparser.cpp
index 65b468ece4..e96aecdf68 100644
--- a/src/gui/text/qcssparser.cpp
+++ b/src/gui/text/qcssparser.cpp
@@ -739,8 +739,9 @@ static ColorData parseColorValue(QCss::Value v)
     QVector<QCss::Value> colorDigits;
     if (!p.parseExpr(&colorDigits))
         return ColorData();
+    const int tokenCount = colorDigits.count();
 
-    for (int i = 0; i < qMin(colorDigits.count(), 7); i += 2) {
+    for (int i = 0; i < qMin(tokenCount, 7); i += 2) {
         if (colorDigits.at(i).type == Value::Percentage) {
             colorDigits[i].variant = colorDigits.at(i).variant.toReal() * (255. / 100.);
             colorDigits[i].type = Value::Number;
@@ -749,11 +750,15 @@ static ColorData parseColorValue(QCss::Value v)
         }
     }
 
+
+    if (tokenCount < 5)
+        return ColorData();
+
     int v1 = colorDigits.at(0).variant.toInt();
     int v2 = colorDigits.at(2).variant.toInt();
     int v3 = colorDigits.at(4).variant.toInt();
     int alpha = 255;
-    if (colorDigits.count() >= 7) {
+    if (tokenCount >= 7) {
         int alphaValue = colorDigits.at(6).variant.toInt();
         if (rgba && alphaValue <= 1)
             alpha = colorDigits.at(6).variant.toReal() * 255.;
-- 
cgit v1.2.3