diff -up qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp.orig qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp --- qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp.orig 2022-01-18 17:48:18.619191388 +0100 +++ qtsvg-everywhere-src-5.15.2/src/svg/qsvghandler.cpp 2022-01-18 17:48:28.755246206 +0100 @@ -1615,6 +1615,7 @@ static void pathArc(QPainterPath &path, static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path) { + const int maxElementCount = 0x7fff; // Assume file corruption if more path elements than this qreal x0 = 0, y0 = 0; // starting point qreal x = 0, y = 0; // current point char lastMode = 0; @@ -1622,7 +1623,8 @@ static bool parsePathDataFast(const QStr const QChar *str = dataStr.constData(); const QChar *end = str + dataStr.size(); - while (str != end) { + bool ok = true; + while (ok && str != end) { while (str->isSpace() && (str + 1) != end) ++str; QChar pathElem = *str; @@ -1636,14 +1638,13 @@ static bool parsePathDataFast(const QStr arg.append(0);//dummy const qreal *num = arg.constData(); int count = arg.count(); - while (count > 0) { + while (ok && count > 0) { qreal offsetX = x; // correction offsets qreal offsetY = y; // for relative commands switch (pathElem.unicode()) { case 'm': { if (count < 2) { - num++; - count--; + ok = false; break; } x = x0 = num[0] + offsetX; @@ -1660,8 +1661,7 @@ static bool parsePathDataFast(const QStr break; case 'M': { if (count < 2) { - num++; - count--; + ok = false; break; } x = x0 = num[0]; @@ -1687,8 +1687,7 @@ static bool parsePathDataFast(const QStr break; case 'l': { if (count < 2) { - num++; - count--; + ok = false; break; } x = num[0] + offsetX; @@ -1701,8 +1700,7 @@ static bool parsePathDataFast(const QStr break; case 'L': { if (count < 2) { - num++; - count--; + ok = false; break; } x = num[0]; @@ -1742,8 +1740,7 @@ static bool parsePathDataFast(const QStr break; case 'c': { if (count < 6) { - num += count; - count = 0; + ok = false; break; } QPointF c1(num[0] + offsetX, num[1] + offsetY); @@ -1759,8 +1756,7 @@ static bool parsePathDataFast(const QStr } case 'C': { if (count < 6) { - num += count; - count = 0; + ok = false; break; } QPointF c1(num[0], num[1]); @@ -1776,8 +1772,7 @@ static bool parsePathDataFast(const QStr } case 's': { if (count < 4) { - num += count; - count = 0; + ok = false; break; } QPointF c1; @@ -1798,8 +1793,7 @@ static bool parsePathDataFast(const QStr } case 'S': { if (count < 4) { - num += count; - count = 0; + ok = false; break; } QPointF c1; @@ -1820,8 +1814,7 @@ static bool parsePathDataFast(const QStr } case 'q': { if (count < 4) { - num += count; - count = 0; + ok = false; break; } QPointF c(num[0] + offsetX, num[1] + offsetY); @@ -1836,8 +1829,7 @@ static bool parsePathDataFast(const QStr } case 'Q': { if (count < 4) { - num += count; - count = 0; + ok = false; break; } QPointF c(num[0], num[1]); @@ -1852,8 +1844,7 @@ static bool parsePathDataFast(const QStr } case 't': { if (count < 2) { - num += count; - count = 0; + ok = false; break; } QPointF e(num[0] + offsetX, num[1] + offsetY); @@ -1873,8 +1864,7 @@ static bool parsePathDataFast(const QStr } case 'T': { if (count < 2) { - num += count; - count = 0; + ok = false; break; } QPointF e(num[0], num[1]); @@ -1894,8 +1884,7 @@ static bool parsePathDataFast(const QStr } case 'a': { if (count < 7) { - num += count; - count = 0; + ok = false; break; } qreal rx = (*num++); @@ -1917,8 +1906,7 @@ static bool parsePathDataFast(const QStr break; case 'A': { if (count < 7) { - num += count; - count = 0; + ok = false; break; } qreal rx = (*num++); @@ -1939,12 +1927,15 @@ static bool parsePathDataFast(const QStr } break; default: - return false; + ok = false; + break; } lastMode = pathElem.toLatin1(); + if (path.elementCount() > maxElementCount) + ok = false; } } - return true; + return ok; } static bool parseStyle(QSvgNode *node, @@ -2980,8 +2971,8 @@ static QSvgNode *createPathNode(QSvgNode QPainterPath qpath; qpath.setFillRule(Qt::WindingFill); - //XXX do error handling - parsePathDataFast(data, qpath); + if (!parsePathDataFast(data, qpath)) + qCWarning(lcSvgHandler, "Invalid path data; path truncated."); QSvgNode *path = new QSvgPath(parent, qpath); return path;