Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP2
libqt5-qtsvg
0006-Fix-stack-overflow-in-dtor-of-QSvgTinyDocu...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0006-Fix-stack-overflow-in-dtor-of-QSvgTinyDocument.patch of Package libqt5-qtsvg
From 223f2b10f99ec7c1f5e7e9708f244d335e22d12b Mon Sep 17 00:00:00 2001 From: Robert Loehning <robert.loehning@qt.io> Date: Mon, 13 Jul 2020 20:53:11 +0200 Subject: [PATCH 06/21] Fix stack overflow in dtor of QSvgTinyDocument Add a maximum to how many unfinished elements will be parsed by QSvgHandler. Fixes: oss-fuzz-24000 Change-Id: I4cea0500d2bc503d2c509d091300dd1117170299 Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io> (cherry picked from commit 2fc2cb44b275c7c18c2db262eec443eb198b9cc6) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> (cherry picked from commit a8ed1cd03bf524072d13c66ab14da8ff1b22cde2) --- src/svg/qsvghandler.cpp | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp index 14f7905..ab5f9ef 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp @@ -3633,6 +3633,10 @@ void QSvgHandler::init() parse(); } +// Having too many unfinished elements will cause a stack overflow +// in the dtor of QSvgTinyDocument, see oss-fuzz issue 24000. +static const int unfinishedElementsLimit = 2048; + void QSvgHandler::parse() { xml->setNamespaceProcessing(false); @@ -3641,6 +3645,7 @@ void QSvgHandler::parse() m_inStyle = false; #endif bool done = false; + int remainingUnfinishedElements = unfinishedElementsLimit; while (!xml->atEnd() && !done) { switch (xml->readNext()) { case QXmlStreamReader::StartElement: @@ -3652,7 +3657,10 @@ void QSvgHandler::parse() // namespaceUri is empty. The only possible strategy at // this point is to do what everyone else seems to do and // ignore the reported namespaceUri completely. - if (!startElement(xml->name().toString(), xml->attributes())) { + if (remainingUnfinishedElements + && startElement(xml->name().toString(), xml->attributes())) { + --remainingUnfinishedElements; + } else { delete m_doc; m_doc = 0; return; @@ -3660,6 +3668,7 @@ void QSvgHandler::parse() break; case QXmlStreamReader::EndElement: endElement(xml->name()); + ++remainingUnfinishedElements; // if we are using somebody else's qxmlstreamreader // we should not read until the end of the stream done = !m_ownsReader && (xml->name() == QLatin1String("svg")); -- 2.20.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor