Fixed crash when parsing invalid polygons in svgs.

Since a 2D point consists of two coordinates, it was assumed that
polygons and polylines were described with an even number of
coordinates. When the number of coordinates was odd, the program
would read out of bounds and cause an assert failure.

Task-number: QTBUG-6899
Reviewed-by: Gunnar

1 files changed, 4 insertions, 16 deletions

diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
index 4384bf6..2a27aa1 100644
--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -2722,14 +2722,8 @@ static QSvgNode *createPolygonNode(QSvgNode *parent,
     const QChar *s = pointsStr.constData();
     QVector<qreal> points = parseNumbersList(s);
     QPolygonF poly(points.count()/2);
-    int i = 0;
-    QVector<qreal>::const_iterator itr = points.constBegin();
-    while (itr != points.constEnd()) {
-        qreal one = *itr; ++itr;
-        qreal two = *itr; ++itr;
-        poly[i] = QPointF(one, two);
-        ++i;
-    }
+    for (int i = 0; i < poly.size(); ++i)
+        poly[i] = QPointF(points.at(2 * i), points.at(2 * i + 1));
     QSvgNode *polygon = new QSvgPolygon(parent, poly);
     return polygon;
 }
@@ -2744,14 +2738,8 @@ static QSvgNode *createPolylineNode(QSvgNode *parent,
     const QChar *s = pointsStr.constData();
     QVector<qreal> points = parseNumbersList(s);
     QPolygonF poly(points.count()/2);
-    int i = 0;
-    QVector<qreal>::const_iterator itr = points.constBegin();
-    while (itr != points.constEnd()) {
-        qreal one = *itr; ++itr;
-        qreal two = *itr; ++itr;
-        poly[i] = QPointF(one, two);
-        ++i;
-    }
+    for (int i = 0; i < poly.size(); ++i)
+        poly[i] = QPointF(points.at(2 * i), points.at(2 * i + 1));
 
     QSvgNode *line = new QSvgPolyline(parent, poly);
     return line;