diff options
| author | Tarja Sundqvist <tarja.sundqvist@qt.io> | 2023-06-09 17:09:17 +0300 |
|---|---|---|
| committer | Tarja Sundqvist <tarja.sundqvist@qt.io> | 2023-06-09 17:09:17 +0300 |
| commit | 3385b64df939815e9df5955f991d270d47a5515b (patch) | |
| tree | 4ede7bb1025ad3142b6d26d9cd47aaa7db884b34 | |
| parent | 7e6a3b38b2e898d90cef68a146cd36fda22e4363 (diff) | |
| parent | c81b0033700ae0f424aa8f2fbc6bc1c47056444d (diff) | |
Merge remote-tracking branch 'origin/tqtc/lts-5.15.11' into tqtc/lts-5.15-opensourcev5.15.11-lts-lgpl
Change-Id: Ife0bac80d4b77517b2780ef5653d8d64d360d75b
| -rw-r--r-- | .qmake.conf | 2 | ||||
| -rw-r--r-- | src/svg/qsvghandler.cpp | 2 | ||||
| -rw-r--r-- | src/svg/qsvgtinydocument.cpp | 11 | ||||
| -rw-r--r-- | tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp | 19 |
4 files changed, 33 insertions, 1 deletions
diff --git a/.qmake.conf b/.qmake.conf index 92c6c65..9228cbd 100644 --- a/.qmake.conf +++ b/.qmake.conf @@ -3,4 +3,4 @@ load(qt_build_config) CONFIG += warning_clean DEFINES += QT_NO_FOREACH -MODULE_VERSION = 5.15.10 +MODULE_VERSION = 5.15.11 diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp index b2227b6..c229c3b 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp @@ -2513,6 +2513,8 @@ static bool parseAnimateTransformNode(QSvgNode *parent, ++s; } } + if (vals.count() % 3 != 0) + return false; bool ok = true; int begin = parseClockValue(beginStr, &ok); diff --git a/src/svg/qsvgtinydocument.cpp b/src/svg/qsvgtinydocument.cpp index 63d0797..19e7154 100644 --- a/src/svg/qsvgtinydocument.cpp +++ b/src/svg/qsvgtinydocument.cpp @@ -433,8 +433,16 @@ void QSvgTinyDocument::draw(QPainter *p, QSvgExtraStates &) draw(p); } +static bool isValidMatrix(const QTransform &transform) +{ + qreal determinant = transform.determinant(); + return qIsFinite(determinant); +} + void QSvgTinyDocument::mapSourceToTarget(QPainter *p, const QRectF &targetRect, const QRectF &sourceRect) { + QTransform oldTransform = p->worldTransform(); + QRectF target = targetRect; if (target.isEmpty()) { QPaintDevice *dev = p->device(); @@ -487,6 +495,9 @@ void QSvgTinyDocument::mapSourceToTarget(QPainter *p, const QRectF &targetRect, } #endif } + + if (!isValidMatrix(p->worldTransform())) + p->setWorldTransform(oldTransform); } QRectF QSvgTinyDocument::boundsOnElement(const QString &id) const diff --git a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp index 36c76ec..db71e02 100644 --- a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp +++ b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp @@ -86,6 +86,8 @@ private slots: void oss_fuzz_23731(); void oss_fuzz_24131(); void oss_fuzz_24738(); + void illegalAnimateTransform_data(); + void illegalAnimateTransform(); #ifndef QT_NO_COMPRESS void testGzLoading(); @@ -1646,5 +1648,22 @@ void tst_QSvgRenderer::oss_fuzz_24738() QSvgRenderer().load(QByteArray("<svg><path d=\"a 2 1e-212.....\">")); } +void tst_QSvgRenderer::illegalAnimateTransform_data() +{ + QTest::addColumn<QByteArray>("svg"); + + QTest::newRow("case1") << QByteArray("<svg><animateTransform type=\"rotate\" begin=\"1\" dur=\"2\" values=\"8,0,5,0\">"); + QTest::newRow("case2") << QByteArray("<svg><animateTransform type=\"rotate\" begin=\"1\" dur=\"2\" values=\"1,2\">"); + QTest::newRow("case3") << QByteArray("<svg><animateTransform type=\"rotate\" begin=\"1\" dur=\"2\" from=\".. 5 2\" to=\"f\">"); + QTest::newRow("case4") << QByteArray("<svg><animateTransform type=\"scale\" begin=\"1\" dur=\"2\" by=\"--,..\">"); +} + +void tst_QSvgRenderer::illegalAnimateTransform() +{ + QFETCH(QByteArray, svg); + QSvgRenderer renderer; + QVERIFY(!renderer.load(svg)); // also shouldn't assert +} + QTEST_MAIN(tst_QSvgRenderer) #include "tst_qsvgrenderer.moc" |