Package: qt4-x11 / 4:4.8.7+dfsg-18

CVE-2018-19869.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
From 8c199714e9bc638fb3f6ec747fb7a23373e49335 Mon Sep 17 00:00:00 2001
From: Eirik Aavitsland <eirik.aavitsland@qt.io>
Date: Mon, 9 Jul 2018 10:45:22 +0200
Subject: [PATCH] Fix crash when parsing malformed url reference

The parsing did not check for end of input.

Change-Id: I56a478877d242146395977b767511425d2b8ced1
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
---
 src/svg/qsvghandler.cpp                      | 11 +++++----
 tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp | 26 ++++++++++++++++++++
 2 files changed, 32 insertions(+), 5 deletions(-)

--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -746,16 +746,17 @@
 static QString idFromUrl(const QString &url)
 {
     QString::const_iterator itr = url.constBegin();
-    while ((*itr).isSpace())
+    QString::const_iterator end = url.constEnd();
+    while (itr != end && (*itr).isSpace())
         ++itr;
-    if ((*itr) == QLatin1Char('('))
+    if (itr != end && (*itr) == QLatin1Char('('))
         ++itr;
-    while ((*itr).isSpace())
+    while (itr != end && (*itr).isSpace())
         ++itr;
-    if ((*itr) == QLatin1Char('#'))
+    if (itr != end && (*itr) == QLatin1Char('#'))
         ++itr;
     QString id;
-    while ((*itr) != QLatin1Char(')')) {
+    while (itr != end && (*itr) != QLatin1Char(')')) {
         id += *itr;
         ++itr;
     }