Don't crash QML image on bad source

This commit is contained in:
Jan Grulich 2023-10-18 14:46:56 +02:00
parent b80565c9f4
commit aa3df7d95b
4 changed files with 227 additions and 1 deletions

View File

@ -11,7 +11,7 @@
Summary: Qt6 - Support for rendering and displaying SVG
Name: qt6-%{qt_module}
Version: 6.6.0
Release: 2%{?dist}
Release: 3%{?dist}
License: LGPL-3.0-only OR GPL-3.0-only WITH Qt-GPL-exception-1.0
Url: http://www.qt.io
@ -24,6 +24,12 @@ Source0: https://download.qt.io/development_releases/qt/%{majmin}/%{qt_version}/
Source0: https://download.qt.io/official_releases/qt/%{majmin}/%{version}/submodules/%{qt_module}-everywhere-src-%{version}.tar.xz
%endif
# QTBUG-117944
# QML Image bad source crashes application instead of error status (QSvgHandler::parse)
Patch0: qtsvg-fix-nullptr-dereference-with-invalid-svg.patch
Patch1: qtsvg-make-sure-we-dont-load-invalid-svg-twice.patch
Patch2: qtsvg-verify-loading-of-invalid-svg-files-dont-crash.patch
# filter plugin provides
%global __provides_exclude_from ^%{_qt6_plugindir}/.*\\.so$
@ -114,6 +120,9 @@ popd
%endif
%changelog
* Wed Oct 18 2023 Jan Grulich <jgrulich@redhat.com> - 6.6.0-3
- Don't crash QML image on bad source
* Tue Oct 17 2023 Jan Grulich <jgrulich@redhat.com> - 6.6.0-2
- Re-enable examples

View File

@ -0,0 +1,26 @@
From effc44495a33babd4cf7a2044123f420e6b3da1c Mon Sep 17 00:00:00 2001
From: Paul Olav Tvete <paul.tvete@qt.io>
Date: Tue, 10 Oct 2023 10:14:22 +0200
Subject: [PATCH] Fix nullptr dereference with invalid SVG
Fixes: QTBUG-117944
Pick-to: 6.5 6.2
Change-Id: I9059dc28c750fc0585f1fb982152b211c323c6cd
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io>
(cherry picked from commit edc8ca7f1e45302223b4b7962a57a30918f84c8d)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
index 2649422..335500a 100644
--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -3606,6 +3606,8 @@
static bool detectCycles(const QSvgNode *node, QList<const QSvgUse *> active = {})
{
+ if (Q_UNLIKELY(!node))
+ return false;
switch (node->type()) {
case QSvgNode::DOC:
case QSvgNode::G:

View File

@ -0,0 +1,76 @@
From 0bfb420574f192a097c7ab3dbdd452b39464dc84 Mon Sep 17 00:00:00 2001
From: Paul Olav Tvete <paul.tvete@qt.io>
Date: Tue, 10 Oct 2023 11:41:41 +0200
Subject: [PATCH] Make sure we don't load invalid SVGs twice
Fixes a bug where loading an invalid SVG that happens
to be valid XML could behave differently in QML and C++,
because readimage() in qquickpixmapcache.cpp calls
QImageReader::size() twice.
Task-number: QTBUG-117944
Pick-to: 6.5
Change-Id: Ibef7f54627c76414c66f81804f5f46f2db3594ba
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
(cherry picked from commit a090bd1f9a7bfa14f06b14570c6a5a37843931c6)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
diff --git a/src/plugins/imageformats/svg/qsvgiohandler.cpp b/src/plugins/imageformats/svg/qsvgiohandler.cpp
index b04ee6b..570c982 100644
--- a/src/plugins/imageformats/svg/qsvgiohandler.cpp
+++ b/src/plugins/imageformats/svg/qsvgiohandler.cpp
@@ -19,7 +19,7 @@
{
public:
QSvgIOHandlerPrivate(QSvgIOHandler *qq)
- : q(qq), loaded(false), readDone(false), backColor(Qt::transparent)
+ : q(qq), loadAttempted(false), loadStatus(false), readDone(false), backColor(Qt::transparent)
{}
bool load(QIODevice *device);
@@ -31,7 +31,8 @@
QRect clipRect;
QSize scaledSize;
QRect scaledClipRect;
- bool loaded;
+ bool loadAttempted;
+ bool loadStatus;
bool readDone;
QColor backColor;
};
@@ -39,8 +40,9 @@
bool QSvgIOHandlerPrivate::load(QIODevice *device)
{
- if (loaded)
- return true;
+ if (loadAttempted)
+ return loadStatus;
+ loadAttempted = true;
if (q->format().isEmpty())
q->canRead();
@@ -63,10 +65,10 @@
if (res) {
defaultSize = r.defaultSize();
- loaded = true;
+ loadStatus = true;
}
- return loaded;
+ return loadStatus;
}
@@ -105,7 +107,7 @@
{
if (!device())
return false;
- if (d->loaded && !d->readDone)
+ if (d->loadStatus && !d->readDone)
return true; // Will happen if we have been asked for the size
bool isCompressed = false;

View File

@ -0,0 +1,115 @@
From f12f893931603bb6561149d813ca88b86e169ffd Mon Sep 17 00:00:00 2001
From: Paul Olav Tvete <paul.tvete@qt.io>
Date: Tue, 10 Oct 2023 14:25:19 +0200
Subject: [PATCH] Verify that loading of invalid SVG files don't crash
Also verify that we don't try to load invalid SVGs
twice.
Pick-to: 6.5
Task-number: QTBUG-117944
Change-Id: If3938384940112510d64a675f58c1e4e97e74986
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io>
(cherry picked from commit 7eb8f63915a470b89b96eb274252543a22e774a7)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
diff --git a/tests/auto/qsvgplugin/CMakeLists.txt b/tests/auto/qsvgplugin/CMakeLists.txt
index e678708..c913cd3 100644
--- a/tests/auto/qsvgplugin/CMakeLists.txt
+++ b/tests/auto/qsvgplugin/CMakeLists.txt
@@ -37,6 +37,9 @@
"simple_Utf16BE.svg"
"simple_Utf32LE.svg"
"simple_Utf32BE.svg"
+ "invalid_xml.svg"
+ "xml_not_svg.svg"
+ "invalid_then_valid.svg"
)
qt_internal_add_resource(tst_qsvgplugin "resources"
diff --git a/tests/auto/qsvgplugin/invalid_then_valid.svg b/tests/auto/qsvgplugin/invalid_then_valid.svg
new file mode 100644
index 0000000..d09f598
--- /dev/null
+++ b/tests/auto/qsvgplugin/invalid_then_valid.svg
@@ -0,0 +1,18 @@
+<!-- html-header type=current begin -->
+
+ <!DOCTYPE html>
+
+ <html lang="en">
+ <head>
+ <!-- Render IE9 -->
+ <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+ </head>
+
+<body class="anon comments ">
+
+</body></html>
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.0//EN" "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd">
+<svg version="1.0" xmlns="http://www.w3.org/2000/svg">
+ <circle cx="50" cy="50" r="25" fill="#00ff00" />
+</svg>
diff --git a/tests/auto/qsvgplugin/invalid_xml.svg b/tests/auto/qsvgplugin/invalid_xml.svg
new file mode 100644
index 0000000..e0814ae
--- /dev/null
+++ b/tests/auto/qsvgplugin/invalid_xml.svg
@@ -0,0 +1,2 @@
+<!--abcd
+
diff --git a/tests/auto/qsvgplugin/tst_qsvgplugin.cpp b/tests/auto/qsvgplugin/tst_qsvgplugin.cpp
index 8bb401d..762d373 100644
--- a/tests/auto/qsvgplugin/tst_qsvgplugin.cpp
+++ b/tests/auto/qsvgplugin/tst_qsvgplugin.cpp
@@ -67,6 +67,9 @@
QTest::newRow("wide_size") << QFINDTESTDATA("wide_size.svg") << 100 << 200;
QTest::newRow("wide_size_viewbox") << QFINDTESTDATA("wide_size_viewbox.svg") << 100 << 200;
QTest::newRow("wide_viewbox") << QFINDTESTDATA("wide_viewbox.svg") << 50 << 100;
+ QTest::newRow("invalid_xml") << QFINDTESTDATA("invalid_xml.svg") << 0 << 0;
+ QTest::newRow("xml_not_svg") << QFINDTESTDATA("xml_not_svg.svg") << 0 << 0;
+ QTest::newRow("invalid_then_valid") << QFINDTESTDATA("invalid_then_valid.svg") << 0 << 0;
}
void tst_QSvgPlugin::checkSize()
@@ -84,10 +87,19 @@
QImage image;
plugin.read(&image);
+ // Check that plugin survives double load
+ QVariant sizeVariant = plugin.option(QImageIOHandler::Size);
+
file.close();
QCOMPARE(imageHeight, image.height());
QCOMPARE(imageWidth, image.width());
+
+ QSize size = qvariant_cast<QSize>(sizeVariant);
+ if (size.isEmpty())
+ size = QSize(0, 0); // don't distinguish between null and invalid QSize
+ QCOMPARE(size.width(), imageWidth);
+ QCOMPARE(size.height(), imageHeight);
}
void tst_QSvgPlugin::checkImageInclude()
diff --git a/tests/auto/qsvgplugin/xml_not_svg.svg b/tests/auto/qsvgplugin/xml_not_svg.svg
new file mode 100644
index 0000000..ccefc72
--- /dev/null
+++ b/tests/auto/qsvgplugin/xml_not_svg.svg
@@ -0,0 +1,13 @@
+<!-- html-header type=current begin -->
+
+ <!DOCTYPE html>
+
+ <html lang="en">
+ <head>
+ <!-- Render IE9 -->
+ <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+ </head>
+
+<body class="anon comments ">
+
+</body></html>