|
 |
93b3ef |
diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
|
|
|
0b683e |
index b3d9aaf..402a71f 100644
|
|
|
93b3ef |
--- a/src/svg/qsvghandler.cpp
|
|
|
93b3ef |
+++ b/src/svg/qsvghandler.cpp
|
|
|
0b683e |
@@ -1614,6 +1614,7 @@ static void pathArc(QPainterPath &path,
|
|
|
93b3ef |
|
|
|
93b3ef |
static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
|
|
|
93b3ef |
{
|
|
|
93b3ef |
+ const int maxElementCount = 0x7fff; // Assume file corruption if more path elements than this
|
|
|
93b3ef |
qreal x0 = 0, y0 = 0; // starting point
|
|
|
93b3ef |
qreal x = 0, y = 0; // current point
|
|
|
93b3ef |
char lastMode = 0;
|
|
|
0b683e |
@@ -1621,7 +1622,8 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
|
|
|
93b3ef |
const QChar *str = dataStr.constData();
|
|
|
93b3ef |
const QChar *end = str + dataStr.size();
|
|
|
93b3ef |
|
|
|
93b3ef |
- while (str != end) {
|
|
|
93b3ef |
+ bool ok = true;
|
|
|
93b3ef |
+ while (ok && str != end) {
|
|
|
93b3ef |
while (str->isSpace() && (str + 1) != end)
|
|
|
93b3ef |
++str;
|
|
|
93b3ef |
QChar pathElem = *str;
|
|
|
0b683e |
@@ -1635,14 +1637,13 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
|
|
|
93b3ef |
arg.append(0);//dummy
|
|
|
93b3ef |
const qreal *num = arg.constData();
|
|
|
93b3ef |
int count = arg.count();
|
|
|
93b3ef |
- while (count > 0) {
|
|
|
93b3ef |
+ while (ok && count > 0) {
|
|
|
93b3ef |
qreal offsetX = x; // correction offsets
|
|
|
93b3ef |
qreal offsetY = y; // for relative commands
|
|
|
93b3ef |
switch (pathElem.unicode()) {
|
|
|
93b3ef |
case 'm': {
|
|
|
93b3ef |
if (count < 2) {
|
|
|
93b3ef |
- num++;
|
|
|
93b3ef |
- count--;
|
|
|
93b3ef |
+ ok = false;
|
|
|
93b3ef |
break;
|
|
|
93b3ef |
}
|
|
|
93b3ef |
x = x0 = num[0] + offsetX;
|
|
|
0b683e |
@@ -1659,8 +1660,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
|
|
|
93b3ef |
break;
|
|
|
93b3ef |
case 'M': {
|
|
|
93b3ef |
if (count < 2) {
|
|
|
93b3ef |
- num++;
|
|
|
93b3ef |
- count--;
|
|
|
93b3ef |
+ ok = false;
|
|
|
93b3ef |
break;
|
|
|
93b3ef |
}
|
|
|
93b3ef |
x = x0 = num[0];
|
|
|
0b683e |
@@ -1686,8 +1686,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
|
|
|
93b3ef |
break;
|
|
|
93b3ef |
case 'l': {
|
|
|
93b3ef |
if (count < 2) {
|
|
|
93b3ef |
- num++;
|
|
|
93b3ef |
- count--;
|
|
|
93b3ef |
+ ok = false;
|
|
|
93b3ef |
break;
|
|
|
93b3ef |
}
|
|
|
93b3ef |
x = num[0] + offsetX;
|
|
|
0b683e |
@@ -1700,8 +1699,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
|
|
|
93b3ef |
break;
|
|
|
93b3ef |
case 'L': {
|
|
|
93b3ef |
if (count < 2) {
|
|
|
93b3ef |
- num++;
|
|
|
93b3ef |
- count--;
|
|
|
93b3ef |
+ ok = false;
|
|
|
93b3ef |
break;
|
|
|
93b3ef |
}
|
|
|
93b3ef |
x = num[0];
|
|
|
0b683e |
@@ -1741,8 +1739,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
|
|
|
93b3ef |
break;
|
|
|
93b3ef |
case 'c': {
|
|
|
93b3ef |
if (count < 6) {
|
|
|
93b3ef |
- num += count;
|
|
|
93b3ef |
- count = 0;
|
|
|
93b3ef |
+ ok = false;
|
|
|
93b3ef |
break;
|
|
|
93b3ef |
}
|
|
|
93b3ef |
QPointF c1(num[0] + offsetX, num[1] + offsetY);
|
|
|
0b683e |
@@ -1758,8 +1755,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
|
|
|
93b3ef |
}
|
|
|
93b3ef |
case 'C': {
|
|
|
93b3ef |
if (count < 6) {
|
|
|
93b3ef |
- num += count;
|
|
|
93b3ef |
- count = 0;
|
|
|
93b3ef |
+ ok = false;
|
|
|
93b3ef |
break;
|
|
|
93b3ef |
}
|
|
|
93b3ef |
QPointF c1(num[0], num[1]);
|
|
|
0b683e |
@@ -1775,8 +1771,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
|
|
|
93b3ef |
}
|
|
|
93b3ef |
case 's': {
|
|
|
93b3ef |
if (count < 4) {
|
|
|
93b3ef |
- num += count;
|
|
|
93b3ef |
- count = 0;
|
|
|
93b3ef |
+ ok = false;
|
|
|
93b3ef |
break;
|
|
|
93b3ef |
}
|
|
|
93b3ef |
QPointF c1;
|
|
|
0b683e |
@@ -1797,8 +1792,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
|
|
|
93b3ef |
}
|
|
|
93b3ef |
case 'S': {
|
|
|
93b3ef |
if (count < 4) {
|
|
|
93b3ef |
- num += count;
|
|
|
93b3ef |
- count = 0;
|
|
|
93b3ef |
+ ok = false;
|
|
|
93b3ef |
break;
|
|
|
93b3ef |
}
|
|
|
93b3ef |
QPointF c1;
|
|
|
0b683e |
@@ -1819,8 +1813,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
|
|
|
93b3ef |
}
|
|
|
93b3ef |
case 'q': {
|
|
|
93b3ef |
if (count < 4) {
|
|
|
93b3ef |
- num += count;
|
|
|
93b3ef |
- count = 0;
|
|
|
93b3ef |
+ ok = false;
|
|
|
93b3ef |
break;
|
|
|
93b3ef |
}
|
|
|
93b3ef |
QPointF c(num[0] + offsetX, num[1] + offsetY);
|
|
|
0b683e |
@@ -1835,8 +1828,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
|
|
|
93b3ef |
}
|
|
|
93b3ef |
case 'Q': {
|
|
|
93b3ef |
if (count < 4) {
|
|
|
93b3ef |
- num += count;
|
|
|
93b3ef |
- count = 0;
|
|
|
93b3ef |
+ ok = false;
|
|
|
93b3ef |
break;
|
|
|
93b3ef |
}
|
|
|
93b3ef |
QPointF c(num[0], num[1]);
|
|
|
0b683e |
@@ -1851,8 +1843,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
|
|
|
93b3ef |
}
|
|
|
93b3ef |
case 't': {
|
|
|
93b3ef |
if (count < 2) {
|
|
|
93b3ef |
- num += count;
|
|
|
93b3ef |
- count = 0;
|
|
|
93b3ef |
+ ok = false;
|
|
|
93b3ef |
break;
|
|
|
93b3ef |
}
|
|
|
93b3ef |
QPointF e(num[0] + offsetX, num[1] + offsetY);
|
|
|
0b683e |
@@ -1872,8 +1863,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
|
|
|
93b3ef |
}
|
|
|
93b3ef |
case 'T': {
|
|
|
93b3ef |
if (count < 2) {
|
|
|
93b3ef |
- num += count;
|
|
|
93b3ef |
- count = 0;
|
|
|
93b3ef |
+ ok = false;
|
|
|
93b3ef |
break;
|
|
|
93b3ef |
}
|
|
|
93b3ef |
QPointF e(num[0], num[1]);
|
|
|
0b683e |
@@ -1893,8 +1883,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
|
|
|
93b3ef |
}
|
|
|
93b3ef |
case 'a': {
|
|
|
93b3ef |
if (count < 7) {
|
|
|
93b3ef |
- num += count;
|
|
|
93b3ef |
- count = 0;
|
|
|
93b3ef |
+ ok = false;
|
|
|
93b3ef |
break;
|
|
|
93b3ef |
}
|
|
|
93b3ef |
qreal rx = (*num++);
|
|
|
0b683e |
@@ -1916,8 +1905,7 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
|
|
|
93b3ef |
break;
|
|
|
93b3ef |
case 'A': {
|
|
|
93b3ef |
if (count < 7) {
|
|
|
93b3ef |
- num += count;
|
|
|
93b3ef |
- count = 0;
|
|
|
93b3ef |
+ ok = false;
|
|
|
93b3ef |
break;
|
|
|
93b3ef |
}
|
|
|
93b3ef |
qreal rx = (*num++);
|
|
|
0b683e |
@@ -1938,12 +1926,15 @@ static bool parsePathDataFast(const QStringRef &dataStr, QPainterPath &path)
|
|
|
93b3ef |
}
|
|
|
93b3ef |
break;
|
|
|
93b3ef |
default:
|
|
|
93b3ef |
- return false;
|
|
|
93b3ef |
+ ok = false;
|
|
|
93b3ef |
+ break;
|
|
|
93b3ef |
}
|
|
|
93b3ef |
lastMode = pathElem.toLatin1();
|
|
|
93b3ef |
+ if (path.elementCount() > maxElementCount)
|
|
|
93b3ef |
+ ok = false;
|
|
|
93b3ef |
}
|
|
|
93b3ef |
}
|
|
|
93b3ef |
- return true;
|
|
|
93b3ef |
+ return ok;
|
|
|
93b3ef |
}
|
|
|
93b3ef |
|
|
|
93b3ef |
static bool parseStyle(QSvgNode *node,
|
|
|
0b683e |
@@ -2979,8 +2970,8 @@ static QSvgNode *createPathNode(QSvgNode *parent,
|
|
|
93b3ef |
|
|
|
93b3ef |
QPainterPath qpath;
|
|
|
93b3ef |
qpath.setFillRule(Qt::WindingFill);
|
|
|
93b3ef |
- //XXX do error handling
|
|
|
93b3ef |
- parsePathDataFast(data, qpath);
|
|
|
93b3ef |
+ if (!parsePathDataFast(data, qpath))
|
|
|
93b3ef |
+ qCWarning(lcSvgHandler, "Invalid path data; path truncated.");
|
|
|
93b3ef |
|
|
|
93b3ef |
QSvgNode *path = new QSvgPath(parent, qpath);
|
|
|
93b3ef |
return path;
|