Filters: check image allocation to avoid memory exhaustion and crash

The new svg features introduced in 6.7 generally use the checked QImage allocation from ImageIO to create the intermediate images. The exception was in applyFilter(), where a QImage was created by the copy function. This commit does not fix the underlying problem in the filter size calculation. It just ensures that the code fails cleanly, whatever the reason for the unexpected size. Pick-to: 6.7 Task-number: QTBUG-124287 Change-Id: If1a20b11842cc05645fe16aa9f4158190f28f5b2 Reviewed-by: Hatem ElKharashy <hatem.elkharashy@qt.io>
author: Eirik Aavitsland <eirik.aavitsland@qt.io> 2024-04-15 14:30:42 +0200
committer: Eirik Aavitsland <eirik.aavitsland@qt.io> 2024-04-16 07:40:56 +0000
commit: e264f646897acf84921a6230998795f5254bb0f4 (patch)
tree: ade5462b3f6648f70bfca7c070329111784f2e4f
parent: 3a964933ad253b29a0131494dd8ad910fb768960 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/src/svg/qsvgstructure.cpp b/src/svg/qsvgstructure.cpp
index 2ed6a70..22f1b0d 100644
--- a/src/svg/qsvgstructure.cpp
+++ b/src/svg/qsvgstructure.cpp
@@ -385,7 +385,12 @@ QImage QSvgFilterContainer::applyFilter(QSvgNode *item, const QImage &buffer, QP
     if (filterBoundsGlobRel.isEmpty())
         return buffer;
 
-    QImage proxy = buffer.copy(filterBoundsGlobRel);
+    QImage proxy;
+    if (!QImageIOHandler::allocateImage(filterBoundsGlobRel.size(), buffer.format(), &proxy)) {
+        qCWarning(lcSvgDraw) << "The requested filter is too big, ignoring";
+        return buffer;
+    }
+    proxy = buffer.copy(filterBoundsGlobRel);
     proxy.setOffset(filterBoundsGlob.topLeft());
     if (proxy.isNull())
         return buffer;
author	Eirik Aavitsland <eirik.aavitsland@qt.io>	2024-04-15 14:30:42 +0200
committer	Eirik Aavitsland <eirik.aavitsland@qt.io>	2024-04-16 07:40:56 +0000
commit	e264f646897acf84921a6230998795f5254bb0f4 (patch)
tree	ade5462b3f6648f70bfca7c070329111784f2e4f
parent	3a964933ad253b29a0131494dd8ad910fb768960 (diff)