diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-03-01 17:06:50 +0100 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2022-08-31 15:09:42 +0200 |
| commit | c81b0033700ae0f424aa8f2fbc6bc1c47056444d (patch) | |
| tree | 733a28438fe19b342c4313307fe75613d0c8f9be | |
| parent | cb9e1c92f94478323c844ed6ee79d8db538af381 (diff) | |
Fix assert with wrong number of argument to animateTransform
Change-Id: I8e864ab4213d65866b0004f115f4e7c7bf7173d5
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
(cherry picked from commit 6acc5212815816af0e0c6c04519a511fccf77a6a)
| -rw-r--r-- | src/svg/qsvghandler.cpp | 2 | ||||
| -rw-r--r-- | tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp | 19 |
2 files changed, 21 insertions, 0 deletions
diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp index 0ddcc4f..c604560 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp @@ -2513,6 +2513,8 @@ static bool parseAnimateTransformNode(QSvgNode *parent, ++s; } } + if (vals.count() % 3 != 0) + return false; bool ok = true; int begin = parseClockValue(beginStr, &ok); diff --git a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp index 36c76ec..db71e02 100644 --- a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp +++ b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp @@ -86,6 +86,8 @@ private slots: void oss_fuzz_23731(); void oss_fuzz_24131(); void oss_fuzz_24738(); + void illegalAnimateTransform_data(); + void illegalAnimateTransform(); #ifndef QT_NO_COMPRESS void testGzLoading(); @@ -1646,5 +1648,22 @@ void tst_QSvgRenderer::oss_fuzz_24738() QSvgRenderer().load(QByteArray("<svg><path d=\"a 2 1e-212.....\">")); } +void tst_QSvgRenderer::illegalAnimateTransform_data() +{ + QTest::addColumn<QByteArray>("svg"); + + QTest::newRow("case1") << QByteArray("<svg><animateTransform type=\"rotate\" begin=\"1\" dur=\"2\" values=\"8,0,5,0\">"); + QTest::newRow("case2") << QByteArray("<svg><animateTransform type=\"rotate\" begin=\"1\" dur=\"2\" values=\"1,2\">"); + QTest::newRow("case3") << QByteArray("<svg><animateTransform type=\"rotate\" begin=\"1\" dur=\"2\" from=\".. 5 2\" to=\"f\">"); + QTest::newRow("case4") << QByteArray("<svg><animateTransform type=\"scale\" begin=\"1\" dur=\"2\" by=\"--,..\">"); +} + +void tst_QSvgRenderer::illegalAnimateTransform() +{ + QFETCH(QByteArray, svg); + QSvgRenderer renderer; + QVERIFY(!renderer.load(svg)); // also shouldn't assert +} + QTEST_MAIN(tst_QSvgRenderer) #include "tst_qsvgrenderer.moc" |