qt5-qtsvg/qtsvg-5.15.2-do-strict-error-checking-when-parsing-path-nodes.patch

diff -up qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp.orig qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp
--- qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp.orig	2022-01-18 17:48:18.619191388 +0100
+++ qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp	2022-01-18 17:48:28.755246206 +0100
@@ -1615,6 +1615,7 @@ static void pathArc(QPainterPath &path,
 
 static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
 {
+    const int maxElementCount = 0x7fff; // Assume file corruption if more path elements than this
     qreal x0 = 0, y0 = 0;              // starting point
     qreal x = 0, y = 0;                // current point
     char lastMode = 0;
@@ -1622,7 +1623,8 @@ static bool parsePathDataFast(const QStr
     const QChar *str = dataStr.constData();
     const QChar *end = str + dataStr.size();
 
-    while (str != end) {
+    bool ok = true;
+    while (ok && str != end) {
         while (str->isSpace() && (str + 1) != end)
             ++str;
         QChar pathElem = *str;
@@ -1636,14 +1638,13 @@ static bool parsePathDataFast(const QStr
             arg.append(0);//dummy
         const qreal *num = arg.constData();
         int count = arg.count();
-        while (count > 0) {
+        while (ok && count > 0) {
             qreal offsetX = x;        // correction offsets
             qreal offsetY = y;        // for relative commands
             switch (pathElem.unicode()) {
             case 'm': {
                 if (count < 2) {
-                    num++;
-                    count--;
+                    ok = false;
                     break;
                 }
                 x = x0 = num[0] + offsetX;
@@ -1660,8 +1661,7 @@ static bool parsePathDataFast(const QStr
                 break;
             case 'M': {
                 if (count < 2) {
-                    num++;
-                    count--;
+                    ok = false;
                     break;
                 }
                 x = x0 = num[0];
@@ -1687,8 +1687,7 @@ static bool parsePathDataFast(const QStr
                 break;
             case 'l': {
                 if (count < 2) {
-                    num++;
-                    count--;
+                    ok = false;
                     break;
                 }
                 x = num[0] + offsetX;
@@ -1701,8 +1700,7 @@ static bool parsePathDataFast(const QStr
                 break;
             case 'L': {
                 if (count < 2) {
-                    num++;
-                    count--;
+                    ok = false;
                     break;
                 }
                 x = num[0];
@@ -1742,8 +1740,7 @@ static bool parsePathDataFast(const QStr
                 break;
             case 'c': {
                 if (count < 6) {
-                    num += count;
-                    count = 0;
+                    ok = false;
                     break;
                 }
                 QPointF c1(num[0] + offsetX, num[1] + offsetY);
@@ -1759,8 +1756,7 @@ static bool parsePathDataFast(const QStr
             }
             case 'C': {
                 if (count < 6) {
-                    num += count;
-                    count = 0;
+                    ok = false;
                     break;
                 }
                 QPointF c1(num[0], num[1]);
@@ -1776,8 +1772,7 @@ static bool parsePathDataFast(const QStr
             }
             case 's': {
                 if (count < 4) {
-                    num += count;
-                    count = 0;
+                    ok = false;
                     break;
                 }
                 QPointF c1;
@@ -1798,8 +1793,7 @@ static bool parsePathDataFast(const QStr
             }
             case 'S': {
                 if (count < 4) {
-                    num += count;
-                    count = 0;
+                    ok = false;
                     break;
                 }
                 QPointF c1;
@@ -1820,8 +1814,7 @@ static bool parsePathDataFast(const QStr
             }
             case 'q': {
                 if (count < 4) {
-                    num += count;
-                    count = 0;
+                    ok = false;
                     break;
                 }
                 QPointF c(num[0] + offsetX, num[1] + offsetY);
@@ -1836,8 +1829,7 @@ static bool parsePathDataFast(const QStr
             }
             case 'Q': {
                 if (count < 4) {
-                    num += count;
-                    count = 0;
+                    ok = false;
                     break;
                 }
                 QPointF c(num[0], num[1]);
@@ -1852,8 +1844,7 @@ static bool parsePathDataFast(const QStr
             }
             case 't': {
                 if (count < 2) {
-                    num += count;
-                    count = 0;
+                    ok = false;
                     break;
                 }
                 QPointF e(num[0] + offsetX, num[1] + offsetY);
@@ -1873,8 +1864,7 @@ static bool parsePathDataFast(const QStr
             }
             case 'T': {
                 if (count < 2) {
-                    num += count;
-                    count = 0;
+                    ok = false;
                     break;
                 }
                 QPointF e(num[0], num[1]);
@@ -1894,8 +1884,7 @@ static bool parsePathDataFast(const QStr
             }
             case 'a': {
                 if (count < 7) {
-                    num += count;
-                    count = 0;
+                    ok = false;
                     break;
                 }
                 qreal rx = (*num++);
@@ -1917,8 +1906,7 @@ static bool parsePathDataFast(const QStr
                 break;
             case 'A': {
                 if (count < 7) {
-                    num += count;
-                    count = 0;
+                    ok = false;
                     break;
                 }
                 qreal rx = (*num++);
@@ -1939,12 +1927,15 @@ static bool parsePathDataFast(const QStr
             }
                 break;
             default:
-                return false;
+                ok = false;
+                break;
             }
             lastMode = pathElem.toLatin1();
+            if (path.elementCount() > maxElementCount)
+                ok = false;
         }
     }
-    return true;
+    return ok;
 }
 
 static bool parseStyle(QSvgNode *node,
@@ -2980,8 +2971,8 @@ static QSvgNode *createPathNode(QSvgNode
 
     QPainterPath qpath;
     qpath.setFillRule(Qt::WindingFill);
-    //XXX do error handling
-    parsePathDataFast(data, qpath);
+    if (!parsePathDataFast(data, qpath))
+        qCWarning(lcSvgHandler, "Invalid path data; path truncated.");
 
     QSvgNode *path = new QSvgPath(parent, qpath);
     return path;
rebased the patch 2022-01-18 16:50:31 +00:00			`diff -up qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp.orig qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp`
			`--- qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp.orig 2022-01-18 17:48:18.619191388 +0100`
			`+++ qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp 2022-01-18 17:48:28.755246206 +0100`
			`@@ -1615,6 +1615,7 @@ static void pathArc(QPainterPath &path,`
Resolves bz#2037341, CVE-2021-45930 2022-01-18 16:36:47 +00:00
rebased the patch 2022-01-18 16:50:31 +00:00			`static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)`
Resolves bz#2037341, CVE-2021-45930 2022-01-18 16:36:47 +00:00			`{`
			`+ const int maxElementCount = 0x7fff; // Assume file corruption if more path elements than this`
			`qreal x0 = 0, y0 = 0; // starting point`
			`qreal x = 0, y = 0; // current point`
			`char lastMode = 0;`
rebased the patch 2022-01-18 16:50:31 +00:00			`@@ -1622,7 +1623,8 @@ static bool parsePathDataFast(const QStr`
Resolves bz#2037341, CVE-2021-45930 2022-01-18 16:36:47 +00:00			`const QChar *str = dataStr.constData();`
			`const QChar *end = str + dataStr.size();`

			`- while (str != end) {`
			`+ bool ok = true;`
			`+ while (ok && str != end) {`
			`while (str->isSpace() && (str + 1) != end)`
			`++str;`
			`QChar pathElem = *str;`
rebased the patch 2022-01-18 16:50:31 +00:00			`@@ -1636,14 +1638,13 @@ static bool parsePathDataFast(const QStr`
Resolves bz#2037341, CVE-2021-45930 2022-01-18 16:36:47 +00:00			`arg.append(0);//dummy`
			`const qreal *num = arg.constData();`
			`int count = arg.count();`
			`- while (count > 0) {`
			`+ while (ok && count > 0) {`
			`qreal offsetX = x; // correction offsets`
			`qreal offsetY = y; // for relative commands`
			`switch (pathElem.unicode()) {`
			`case 'm': {`
			`if (count < 2) {`
			`- num++;`
			`- count--;`
			`+ ok = false;`
			`break;`
			`}`
			`x = x0 = num[0] + offsetX;`
rebased the patch 2022-01-18 16:50:31 +00:00			`@@ -1660,8 +1661,7 @@ static bool parsePathDataFast(const QStr`
Resolves bz#2037341, CVE-2021-45930 2022-01-18 16:36:47 +00:00			`break;`
			`case 'M': {`
			`if (count < 2) {`
			`- num++;`
			`- count--;`
			`+ ok = false;`
			`break;`
			`}`
			`x = x0 = num[0];`
rebased the patch 2022-01-18 16:50:31 +00:00			`@@ -1687,8 +1687,7 @@ static bool parsePathDataFast(const QStr`
Resolves bz#2037341, CVE-2021-45930 2022-01-18 16:36:47 +00:00			`break;`
			`case 'l': {`
			`if (count < 2) {`
			`- num++;`
			`- count--;`
			`+ ok = false;`
			`break;`
			`}`
			`x = num[0] + offsetX;`
rebased the patch 2022-01-18 16:50:31 +00:00			`@@ -1701,8 +1700,7 @@ static bool parsePathDataFast(const QStr`
Resolves bz#2037341, CVE-2021-45930 2022-01-18 16:36:47 +00:00			`break;`
			`case 'L': {`
			`if (count < 2) {`
			`- num++;`
			`- count--;`
			`+ ok = false;`
			`break;`
			`}`
			`x = num[0];`
rebased the patch 2022-01-18 16:50:31 +00:00			`@@ -1742,8 +1740,7 @@ static bool parsePathDataFast(const QStr`
Resolves bz#2037341, CVE-2021-45930 2022-01-18 16:36:47 +00:00			`break;`
			`case 'c': {`
			`if (count < 6) {`
			`- num += count;`
			`- count = 0;`
			`+ ok = false;`
			`break;`
			`}`
			`QPointF c1(num[0] + offsetX, num[1] + offsetY);`
rebased the patch 2022-01-18 16:50:31 +00:00			`@@ -1759,8 +1756,7 @@ static bool parsePathDataFast(const QStr`
Resolves bz#2037341, CVE-2021-45930 2022-01-18 16:36:47 +00:00			`}`
			`case 'C': {`
			`if (count < 6) {`
			`- num += count;`
			`- count = 0;`
			`+ ok = false;`
			`break;`
			`}`
			`QPointF c1(num[0], num[1]);`
rebased the patch 2022-01-18 16:50:31 +00:00			`@@ -1776,8 +1772,7 @@ static bool parsePathDataFast(const QStr`
Resolves bz#2037341, CVE-2021-45930 2022-01-18 16:36:47 +00:00			`}`
			`case 's': {`
			`if (count < 4) {`
			`- num += count;`
			`- count = 0;`
			`+ ok = false;`
			`break;`
			`}`
			`QPointF c1;`
rebased the patch 2022-01-18 16:50:31 +00:00			`@@ -1798,8 +1793,7 @@ static bool parsePathDataFast(const QStr`
Resolves bz#2037341, CVE-2021-45930 2022-01-18 16:36:47 +00:00			`}`
			`case 'S': {`
			`if (count < 4) {`
			`- num += count;`
			`- count = 0;`
			`+ ok = false;`
			`break;`
			`}`
			`QPointF c1;`
rebased the patch 2022-01-18 16:50:31 +00:00			`@@ -1820,8 +1814,7 @@ static bool parsePathDataFast(const QStr`
Resolves bz#2037341, CVE-2021-45930 2022-01-18 16:36:47 +00:00			`}`
			`case 'q': {`
			`if (count < 4) {`
			`- num += count;`
			`- count = 0;`
			`+ ok = false;`
			`break;`
			`}`
			`QPointF c(num[0] + offsetX, num[1] + offsetY);`
rebased the patch 2022-01-18 16:50:31 +00:00			`@@ -1836,8 +1829,7 @@ static bool parsePathDataFast(const QStr`
Resolves bz#2037341, CVE-2021-45930 2022-01-18 16:36:47 +00:00			`}`
			`case 'Q': {`
			`if (count < 4) {`
			`- num += count;`
			`- count = 0;`
			`+ ok = false;`
			`break;`
			`}`
			`QPointF c(num[0], num[1]);`
rebased the patch 2022-01-18 16:50:31 +00:00			`@@ -1852,8 +1844,7 @@ static bool parsePathDataFast(const QStr`
Resolves bz#2037341, CVE-2021-45930 2022-01-18 16:36:47 +00:00			`}`
			`case 't': {`
			`if (count < 2) {`
			`- num += count;`
			`- count = 0;`
			`+ ok = false;`
			`break;`
			`}`
			`QPointF e(num[0] + offsetX, num[1] + offsetY);`
rebased the patch 2022-01-18 16:50:31 +00:00			`@@ -1873,8 +1864,7 @@ static bool parsePathDataFast(const QStr`
Resolves bz#2037341, CVE-2021-45930 2022-01-18 16:36:47 +00:00			`}`
			`case 'T': {`
			`if (count < 2) {`
			`- num += count;`
			`- count = 0;`
			`+ ok = false;`
			`break;`
			`}`
			`QPointF e(num[0], num[1]);`
rebased the patch 2022-01-18 16:50:31 +00:00			`@@ -1894,8 +1884,7 @@ static bool parsePathDataFast(const QStr`
Resolves bz#2037341, CVE-2021-45930 2022-01-18 16:36:47 +00:00			`}`
			`case 'a': {`
			`if (count < 7) {`
			`- num += count;`
			`- count = 0;`
			`+ ok = false;`
			`break;`
			`}`
			`qreal rx = (*num++);`
rebased the patch 2022-01-18 16:50:31 +00:00			`@@ -1917,8 +1906,7 @@ static bool parsePathDataFast(const QStr`
Resolves bz#2037341, CVE-2021-45930 2022-01-18 16:36:47 +00:00			`break;`
			`case 'A': {`
			`if (count < 7) {`
			`- num += count;`
			`- count = 0;`
			`+ ok = false;`
			`break;`
			`}`
			`qreal rx = (*num++);`
rebased the patch 2022-01-18 16:50:31 +00:00			`@@ -1939,12 +1927,15 @@ static bool parsePathDataFast(const QStr`
Resolves bz#2037341, CVE-2021-45930 2022-01-18 16:36:47 +00:00			`}`
			`break;`
			`default:`
			`- return false;`
			`+ ok = false;`
			`+ break;`
			`}`
			`lastMode = pathElem.toLatin1();`
			`+ if (path.elementCount() > maxElementCount)`
			`+ ok = false;`
			`}`
			`}`
			`- return true;`
			`+ return ok;`
			`}`

			`static bool parseStyle(QSvgNode *node,`
rebased the patch 2022-01-18 16:50:31 +00:00			`@@ -2980,8 +2971,8 @@ static QSvgNode *createPathNode(QSvgNode`
Resolves bz#2037341, CVE-2021-45930 2022-01-18 16:36:47 +00:00
			`QPainterPath qpath;`
			`qpath.setFillRule(Qt::WindingFill);`
			`- //XXX do error handling`
			`- parsePathDataFast(data, qpath);`
			`+ if (!parsePathDataFast(data, qpath))`
			`+ qCWarning(lcSvgHandler, "Invalid path data; path truncated.");`

			`QSvgNode *path = new QSvgPath(parent, qpath);`
			`return path;`