[PATCH] Fix crash when parsing malformed url reference

The parsing did not check for end of input.

Change-Id: I56a478877d242146395977b767511425d2b8ced1
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
Gbp-Pq: Name CVE-2018-19869.patch

diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
index 77af81611bc9ec9b734b69ec6d830fa69a885851..7378e9628289350b25951668655daaf28d5f90a3 100644 (file)
--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -746,16 +746,17 @@ static QVector<qreal> parsePercentageList(const QChar *&str)
 static QString idFromUrl(const QString &url)
 {
     QString::const_iterator itr = url.constBegin();
-    while ((*itr).isSpace())
+    QString::const_iterator end = url.constEnd();
+    while (itr != end && (*itr).isSpace())
         ++itr;
-    if ((*itr) == QLatin1Char('('))
+    if (itr != end && (*itr) == QLatin1Char('('))
         ++itr;
-    while ((*itr).isSpace())
+    while (itr != end && (*itr).isSpace())
         ++itr;
-    if ((*itr) == QLatin1Char('#'))
+    if (itr != end && (*itr) == QLatin1Char('#'))
         ++itr;
     QString id;
-    while ((*itr) != QLatin1Char(')')) {
+    while (itr != end && (*itr) != QLatin1Char(')')) {
         id += *itr;
         ++itr;
     }