From 4100b42403399e600e935d15d940c4ac6000816f Mon Sep 17 00:00:00 2001 From: Kim Motoyoshi Kalland Date: Fri, 18 Dec 2009 10:27:59 +0100 Subject: Fixed crash when parsing invalid polygons in svgs. Since a 2D point consists of two coordinates, it was assumed that polygons and polylines were described with an even number of coordinates. When the number of coordinates was odd, the program would read out of bounds and cause an assert failure. Task-number: QTBUG-6899 Reviewed-by: Gunnar --- src/svg/qsvghandler.cpp | 20 ++++---------------- 1 file changed, 4 insertions(+), 16 deletions(-) diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp index 4384bf6..2a27aa1 100644 --- a/src/svg/qsvghandler.cpp +++ b/src/svg/qsvghandler.cpp @@ -2722,14 +2722,8 @@ static QSvgNode *createPolygonNode(QSvgNode *parent, const QChar *s = pointsStr.constData(); QVector points = parseNumbersList(s); QPolygonF poly(points.count()/2); - int i = 0; - QVector::const_iterator itr = points.constBegin(); - while (itr != points.constEnd()) { - qreal one = *itr; ++itr; - qreal two = *itr; ++itr; - poly[i] = QPointF(one, two); - ++i; - } + for (int i = 0; i < poly.size(); ++i) + poly[i] = QPointF(points.at(2 * i), points.at(2 * i + 1)); QSvgNode *polygon = new QSvgPolygon(parent, poly); return polygon; } @@ -2744,14 +2738,8 @@ static QSvgNode *createPolylineNode(QSvgNode *parent, const QChar *s = pointsStr.constData(); QVector points = parseNumbersList(s); QPolygonF poly(points.count()/2); - int i = 0; - QVector::const_iterator itr = points.constBegin(); - while (itr != points.constEnd()) { - qreal one = *itr; ++itr; - qreal two = *itr; ++itr; - poly[i] = QPointF(one, two); - ++i; - } + for (int i = 0; i < poly.size(); ++i) + poly[i] = QPointF(points.at(2 * i), points.at(2 * i + 1)); QSvgNode *line = new QSvgPolyline(parent, poly); return line; -- cgit v0.12