From: Eirik Aavitsland <eirik.aavitsland@qt.io>
Date: Mon, 9 Jul 2018 08:45:22 +0000 (+0200)
Subject: Fix crash when parsing malformed url reference
X-Git-Tag: archive/raspbian/4%4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2+rpi1^2~1
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=fffee83ff70e551bf06d69395c7f8c6a51a5570c;p=qt4-x11.git

Fix crash when parsing malformed url reference

The parsing did not check for end of input.

Change-Id: I56a478877d242146395977b767511425d2b8ced1
Reviewed-by: Lars Knoll <lars.knoll@qt.io>

Gbp-Pq: Name cve_2018-19869.patch
---

diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
index 7004de72c..50e039111 100644
--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -746,16 +746,17 @@ static QVector<qreal> parsePercentageList(const QChar *&str)
 static QString idFromUrl(const QString &url)
 {
     QString::const_iterator itr = url.constBegin();
-    while ((*itr).isSpace())
+    QString::const_iterator end = url.constEnd();
+    while (itr != end && (*itr).isSpace())
         ++itr;
-    if ((*itr) == QLatin1Char('('))
+    if (itr != end && (*itr) == QLatin1Char('('))
         ++itr;
-    while ((*itr).isSpace())
+    while (itr != end && (*itr).isSpace())
         ++itr;
-    if ((*itr) == QLatin1Char('#'))
+    if (itr != end && (*itr) == QLatin1Char('#'))
         ++itr;
     QString id;
-    while ((*itr) != QLatin1Char(')')) {
+    while (itr != end && (*itr) != QLatin1Char(')')) {
         id += *itr;
         ++itr;
     }
diff --git a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
index 6437b39df..fe4591e66 100644
--- a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
+++ b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp
@@ -70,6 +70,8 @@ private slots:
     void getSetCheck();
     void inexistentUrl();
     void emptyUrl();
+    void invalidUrl_data();
+    void invalidUrl();
     void testStrokeWidth();
     void testMapViewBoxToTarget();
     void testRenderElement();
@@ -148,6 +150,30 @@ void tst_QSvgRenderer::emptyUrl()
     QVERIFY(renderer.isValid());
 }
 
+void tst_QSvgRenderer::invalidUrl_data()
+{
+    QTest::addColumn<QByteArray>("svg");
+
+    QTest::newRow("00") << QByteArray("<svg><circle fill=\"url\" /></svg>");
+    QTest::newRow("01") << QByteArray("<svg><circle fill=\"url0\" /></svg>");
+    QTest::newRow("02") << QByteArray("<svg><circle fill=\"url(0\" /></svg>");
+    QTest::newRow("03") << QByteArray("<svg><circle fill=\"url (0\" /></svg>");
+    QTest::newRow("04") << QByteArray("<svg><circle fill=\"url ( 0\" /></svg>");
+    QTest::newRow("05") << QByteArray("<svg><circle fill=\"url#\" /></svg>");
+    QTest::newRow("06") << QByteArray("<svg><circle fill=\"url#(\" /></svg>");
+    QTest::newRow("07") << QByteArray("<svg><circle fill=\"url(#\" /></svg>");
+    QTest::newRow("08") << QByteArray("<svg><circle fill=\"url(# \" /></svg>");
+    QTest::newRow("09") << QByteArray("<svg><circle fill=\"url(# 0\" /></svg>");
+}
+
+void tst_QSvgRenderer::invalidUrl()
+{
+    QFETCH(QByteArray, svg);
+
+    QSvgRenderer renderer(svg);
+    QVERIFY(renderer.isValid());
+}
+
 void tst_QSvgRenderer::testStrokeWidth()
 {
     qreal squareSize = 30.0;