summaryrefslogtreecommitdiffstats
path: root/src/svg
diff options
context:
space:
mode:
authorKim Motoyoshi Kalland <kim.kalland@nokia.com>2009-12-18 09:27:59 (GMT)
committerKim Motoyoshi Kalland <kim.kalland@nokia.com>2009-12-18 09:27:59 (GMT)
commit4100b42403399e600e935d15d940c4ac6000816f (patch)
tree9cdd01ca7e441c08a5b2c317adce0a714b20953b /src/svg
parent4b5b74835f6323415f7df43ddb74caa078c4ab62 (diff)
downloadQt-4100b42403399e600e935d15d940c4ac6000816f.zip
Qt-4100b42403399e600e935d15d940c4ac6000816f.tar.gz
Qt-4100b42403399e600e935d15d940c4ac6000816f.tar.bz2
Fixed crash when parsing invalid polygons in svgs.
Since a 2D point consists of two coordinates, it was assumed that polygons and polylines were described with an even number of coordinates. When the number of coordinates was odd, the program would read out of bounds and cause an assert failure. Task-number: QTBUG-6899 Reviewed-by: Gunnar
Diffstat (limited to 'src/svg')
-rw-r--r--src/svg/qsvghandler.cpp20
1 files changed, 4 insertions, 16 deletions
diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
index 4384bf6..2a27aa1 100644
--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -2722,14 +2722,8 @@ static QSvgNode *createPolygonNode(QSvgNode *parent,
const QChar *s = pointsStr.constData();
QVector<qreal> points = parseNumbersList(s);
QPolygonF poly(points.count()/2);
- int i = 0;
- QVector<qreal>::const_iterator itr = points.constBegin();
- while (itr != points.constEnd()) {
- qreal one = *itr; ++itr;
- qreal two = *itr; ++itr;
- poly[i] = QPointF(one, two);
- ++i;
- }
+ for (int i = 0; i < poly.size(); ++i)
+ poly[i] = QPointF(points.at(2 * i), points.at(2 * i + 1));
QSvgNode *polygon = new QSvgPolygon(parent, poly);
return polygon;
}
@@ -2744,14 +2738,8 @@ static QSvgNode *createPolylineNode(QSvgNode *parent,
const QChar *s = pointsStr.constData();
QVector<qreal> points = parseNumbersList(s);
QPolygonF poly(points.count()/2);
- int i = 0;
- QVector<qreal>::const_iterator itr = points.constBegin();
- while (itr != points.constEnd()) {
- qreal one = *itr; ++itr;
- qreal two = *itr; ++itr;
- poly[i] = QPointF(one, two);
- ++i;
- }
+ for (int i = 0; i < poly.size(); ++i)
+ poly[i] = QPointF(points.at(2 * i), points.at(2 * i + 1));
QSvgNode *line = new QSvgPolyline(parent, poly);
return line;