Don't crash QML image on bad source

2023-10-18 14:46:56 +02:00 · 2023-10-18 14:46:56 +02:00 · aa3df7d95b
commit aa3df7d95b
parent b80565c9f4
4 changed files with 227 additions and 1 deletions
--- a/qt6-qtsvg.spec
+++ b/qt6-qtsvg.spec
@ -11,7 +11,7 @@
 Summary: Qt6 - Support for rendering and displaying SVG
 Name:    qt6-%{qt_module}
 Version: 6.6.0
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: LGPL-3.0-only OR GPL-3.0-only WITH Qt-GPL-exception-1.0
 Url:     http://www.qt.io
@ -24,6 +24,12 @@ Source0: https://download.qt.io/development_releases/qt/%{majmin}/%{qt_version}/
 Source0: https://download.qt.io/official_releases/qt/%{majmin}/%{version}/submodules/%{qt_module}-everywhere-src-%{version}.tar.xz
 %endif
 # QTBUG-117944
 # QML Image bad source crashes application instead of error status (QSvgHandler::parse)
 Patch0:  qtsvg-fix-nullptr-dereference-with-invalid-svg.patch
 Patch1:  qtsvg-make-sure-we-dont-load-invalid-svg-twice.patch
 Patch2:  qtsvg-verify-loading-of-invalid-svg-files-dont-crash.patch
 # filter plugin provides
 %global __provides_exclude_from ^%{_qt6_plugindir}/.*\\.so$
@ -114,6 +120,9 @@ popd
 %endif
 %changelog
 * Wed Oct 18 2023 Jan Grulich <jgrulich@redhat.com> - 6.6.0-3
 - Don't crash QML image on bad source
 * Tue Oct 17 2023 Jan Grulich <jgrulich@redhat.com> - 6.6.0-2
 - Re-enable examples
--- a/qtsvg-fix-nullptr-dereference-with-invalid-svg.patch
+++ b/qtsvg-fix-nullptr-dereference-with-invalid-svg.patch
@ -0,0 +1,26 @@
 From effc44495a33babd4cf7a2044123f420e6b3da1c Mon Sep 17 00:00:00 2001
 From: Paul Olav Tvete <paul.tvete@qt.io>
 Date: Tue, 10 Oct 2023 10:14:22 +0200
 Subject: [PATCH] Fix nullptr dereference with invalid SVG
 Fixes: QTBUG-117944
 Pick-to: 6.5 6.2
 Change-Id: I9059dc28c750fc0585f1fb982152b211c323c6cd
 Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io>
 (cherry picked from commit edc8ca7f1e45302223b4b7962a57a30918f84c8d)
 Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
 ---
 diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
 index 2649422..335500a 100644
 --- a/src/svg/qsvghandler.cpp
 +++ b/src/svg/qsvghandler.cpp
@@ -3606,6 +3606,8 @@
 static bool detectCycles(const QSvgNode *node, QList<const QSvgUse *> active = {})
 {
 +    if (Q_UNLIKELY(!node))
 +        return false;
     switch (node->type()) {
     case QSvgNode::DOC:
     case QSvgNode::G:
--- a/qtsvg-make-sure-we-dont-load-invalid-svg-twice.patch
+++ b/qtsvg-make-sure-we-dont-load-invalid-svg-twice.patch
@ -0,0 +1,76 @@
 From 0bfb420574f192a097c7ab3dbdd452b39464dc84 Mon Sep 17 00:00:00 2001
 From: Paul Olav Tvete <paul.tvete@qt.io>
 Date: Tue, 10 Oct 2023 11:41:41 +0200
 Subject: [PATCH] Make sure we don't load invalid SVGs twice
 Fixes a bug where loading an invalid SVG that happens
 to be valid XML could behave differently in QML and C++,
 because readimage() in qquickpixmapcache.cpp calls
 QImageReader::size() twice.
 Task-number: QTBUG-117944
 Pick-to: 6.5
 Change-Id: Ibef7f54627c76414c66f81804f5f46f2db3594ba
 Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
 Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
 (cherry picked from commit a090bd1f9a7bfa14f06b14570c6a5a37843931c6)
 Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
 ---
 diff --git a/src/plugins/imageformats/svg/qsvgiohandler.cpp b/src/plugins/imageformats/svg/qsvgiohandler.cpp
 index b04ee6b..570c982 100644
 --- a/src/plugins/imageformats/svg/qsvgiohandler.cpp
 +++ b/src/plugins/imageformats/svg/qsvgiohandler.cpp
@@ -19,7 +19,7 @@
 {
 public:
     QSvgIOHandlerPrivate(QSvgIOHandler *qq)
 -        : q(qq), loaded(false), readDone(false), backColor(Qt::transparent)
 +        : q(qq), loadAttempted(false), loadStatus(false), readDone(false), backColor(Qt::transparent)
     {}
     bool load(QIODevice *device);
@@ -31,7 +31,8 @@
     QRect            clipRect;
     QSize            scaledSize;
     QRect            scaledClipRect;
 -    bool             loaded;
 +    bool             loadAttempted;
 +    bool             loadStatus;
     bool             readDone;
     QColor           backColor;
 };
@@ -39,8 +40,9 @@
 bool QSvgIOHandlerPrivate::load(QIODevice *device)
 {
 -    if (loaded)
 -        return true;
 +    if (loadAttempted)
 +        return loadStatus;
 +    loadAttempted = true;
     if (q->format().isEmpty())
         q->canRead();
@@ -63,10 +65,10 @@
     if (res) {
         defaultSize = r.defaultSize();
 -        loaded = true;
 +        loadStatus = true;
     }
 -    return loaded;
 +    return loadStatus;
 }
@@ -105,7 +107,7 @@
 {
     if (!device())
         return false;
 -    if (d->loaded && !d->readDone)
 +    if (d->loadStatus && !d->readDone)
         return true;        // Will happen if we have been asked for the size
     bool isCompressed = false;
--- a/qtsvg-verify-loading-of-invalid-svg-files-dont-crash.patch
+++ b/qtsvg-verify-loading-of-invalid-svg-files-dont-crash.patch
@ -0,0 +1,115 @@
 From f12f893931603bb6561149d813ca88b86e169ffd Mon Sep 17 00:00:00 2001
 From: Paul Olav Tvete <paul.tvete@qt.io>
 Date: Tue, 10 Oct 2023 14:25:19 +0200
 Subject: [PATCH] Verify that loading of invalid SVG files don't crash
 Also verify that we don't try to load invalid SVGs
 twice.
 Pick-to: 6.5
 Task-number: QTBUG-117944
 Change-Id: If3938384940112510d64a675f58c1e4e97e74986
 Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io>
 (cherry picked from commit 7eb8f63915a470b89b96eb274252543a22e774a7)
 Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
 ---
 diff --git a/tests/auto/qsvgplugin/CMakeLists.txt b/tests/auto/qsvgplugin/CMakeLists.txt
 index e678708..c913cd3 100644
 --- a/tests/auto/qsvgplugin/CMakeLists.txt
 +++ b/tests/auto/qsvgplugin/CMakeLists.txt
@@ -37,6 +37,9 @@
     "simple_Utf16BE.svg"
     "simple_Utf32LE.svg"
     "simple_Utf32BE.svg"
 +    "invalid_xml.svg"
 +    "xml_not_svg.svg"
 +    "invalid_then_valid.svg"
 )
 qt_internal_add_resource(tst_qsvgplugin "resources"
 diff --git a/tests/auto/qsvgplugin/invalid_then_valid.svg b/tests/auto/qsvgplugin/invalid_then_valid.svg
 new file mode 100644
 index 0000000..d09f598
 --- /dev/null
 +++ b/tests/auto/qsvgplugin/invalid_then_valid.svg
@@ -0,0 +1,18 @@
 +<!-- html-header type=current begin -->
 +	
 +	<!DOCTYPE html>
 +	
 +	<html lang="en">
 +	<head>
 +	<!-- Render IE9 -->
 +	<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
 +	</head>
 +
 +<body class="anon comments ">
 +
 +</body></html>
 +<?xml version="1.0" encoding="UTF-8" standalone="no"?>
 +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.0//EN" "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd">
 +<svg version="1.0" xmlns="http://www.w3.org/2000/svg">
 +  <circle cx="50" cy="50" r="25" fill="#00ff00" />
 +</svg>
 diff --git a/tests/auto/qsvgplugin/invalid_xml.svg b/tests/auto/qsvgplugin/invalid_xml.svg
 new file mode 100644
 index 0000000..e0814ae
 --- /dev/null
 +++ b/tests/auto/qsvgplugin/invalid_xml.svg
@@ -0,0 +1,2 @@
 +<!--abcd
 +
 diff --git a/tests/auto/qsvgplugin/tst_qsvgplugin.cpp b/tests/auto/qsvgplugin/tst_qsvgplugin.cpp
 index 8bb401d..762d373 100644
 --- a/tests/auto/qsvgplugin/tst_qsvgplugin.cpp
 +++ b/tests/auto/qsvgplugin/tst_qsvgplugin.cpp
@@ -67,6 +67,9 @@
     QTest::newRow("wide_size")           << QFINDTESTDATA("wide_size.svg")           << 100 << 200;
     QTest::newRow("wide_size_viewbox")   << QFINDTESTDATA("wide_size_viewbox.svg")   << 100 << 200;
     QTest::newRow("wide_viewbox")        << QFINDTESTDATA("wide_viewbox.svg")        <<  50 << 100;
 +    QTest::newRow("invalid_xml")         << QFINDTESTDATA("invalid_xml.svg")         <<  0 << 0;
 +    QTest::newRow("xml_not_svg")         << QFINDTESTDATA("xml_not_svg.svg")         <<  0 << 0;
 +    QTest::newRow("invalid_then_valid")  << QFINDTESTDATA("invalid_then_valid.svg")  <<  0 << 0;
 }
 void tst_QSvgPlugin::checkSize()
@@ -84,10 +87,19 @@
     QImage image;
     plugin.read(&image);
 +    // Check that plugin survives double load
 +    QVariant sizeVariant = plugin.option(QImageIOHandler::Size);
 +
     file.close();
     QCOMPARE(imageHeight, image.height());
     QCOMPARE(imageWidth, image.width());
 +
 +    QSize size = qvariant_cast<QSize>(sizeVariant);
 +    if (size.isEmpty())
 +        size = QSize(0, 0); // don't distinguish between null and invalid QSize
 +    QCOMPARE(size.width(), imageWidth);
 +    QCOMPARE(size.height(), imageHeight);
 }
 void tst_QSvgPlugin::checkImageInclude()
 diff --git a/tests/auto/qsvgplugin/xml_not_svg.svg b/tests/auto/qsvgplugin/xml_not_svg.svg
 new file mode 100644
 index 0000000..ccefc72
 --- /dev/null
 +++ b/tests/auto/qsvgplugin/xml_not_svg.svg
@@ -0,0 +1,13 @@
 +<!-- html-header type=current begin -->
 +	
 +	<!DOCTYPE html>
 +	
 +	<html lang="en">
 +	<head>
 +	<!-- Render IE9 -->
 +	<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
 +	</head>
 +
 +<body class="anon comments ">
 +
 +</body></html>