diff options
| -rw-r--r-- | src/quick/items/qquicktextdocument.cpp | 4 | ||||
| -rw-r--r-- | src/quick/util/qquickstyledtext.cpp | 19 | ||||
| -rw-r--r-- | tests/auto/quick/qquicktext/tst_qquicktext.cpp | 16 |
3 files changed, 35 insertions, 4 deletions
diff --git a/src/quick/items/qquicktextdocument.cpp b/src/quick/items/qquicktextdocument.cpp index d11bae5919..798b0d0599 100644 --- a/src/quick/items/qquicktextdocument.cpp +++ b/src/quick/items/qquicktextdocument.cpp @@ -590,9 +590,9 @@ QSizeF QQuickTextImageHandler::intrinsicSize( { if (format.isImageFormat()) { QTextImageFormat imageFormat = format.toImageFormat(); - int width = qRound(imageFormat.width()); + int width = qRound(qBound(qreal(INT_MIN), imageFormat.width(), qreal(INT_MAX))); const bool hasWidth = imageFormat.hasProperty(QTextFormat::ImageWidth) && width > 0; - const int height = qRound(imageFormat.height()); + const int height = qRound(qBound(qreal(INT_MIN), imageFormat.height(), qreal(INT_MAX))); const bool hasHeight = imageFormat.hasProperty(QTextFormat::ImageHeight) && height > 0; const auto maxWidth = imageFormat.maximumWidth(); const bool hasMaxWidth = imageFormat.hasProperty(QTextFormat::ImageMaxWidth) && maxWidth.type() != QTextLength::VariableLength; diff --git a/src/quick/util/qquickstyledtext.cpp b/src/quick/util/qquickstyledtext.cpp index bb003c19a6..7d21c8999f 100644 --- a/src/quick/util/qquickstyledtext.cpp +++ b/src/quick/util/qquickstyledtext.cpp @@ -11,6 +11,11 @@ #include "qquickstyledtext_p.h" #include <QQmlContext> #include <QtGui/private/qtexthtmlparser_p.h> +#include <QtGui/private/qoutlinemapper_p.h> + +#ifndef QQUICKSTYLEDPARSER_COORD_LIMIT +# define QQUICKSTYLEDPARSER_COORD_LIMIT QT_RASTER_COORD_LIMIT +#endif Q_STATIC_LOGGING_CATEGORY(lcStyledText, "qt.quick.styledtext") @@ -660,9 +665,19 @@ void QQuickStyledTextPrivate::parseImageAttributes(const QChar *&ch, const QStri if (is_equal_ignoring_case(attr.first, QLatin1String("src"))) { image->url = QUrl(attr.second.toString()); } else if (is_equal_ignoring_case(attr.first, QLatin1String("width"))) { - image->size.setWidth(attr.second.toString().toInt()); + bool ok; + int v = attr.second.toString().toInt(&ok); + if (ok && v <= QQUICKSTYLEDPARSER_COORD_LIMIT) + image->size.setWidth(v); + else + qCWarning(lcStyledText) << "Invalid width provided for <img>"; } else if (is_equal_ignoring_case(attr.first, QLatin1String("height"))) { - image->size.setHeight(attr.second.toString().toInt()); + bool ok; + int v = attr.second.toString().toInt(&ok); + if (ok && v <= QQUICKSTYLEDPARSER_COORD_LIMIT) + image->size.setHeight(v); + else + qCWarning(lcStyledText) << "Invalid height provided for <img>"; } else if (is_equal_ignoring_case(attr.first, QLatin1String("align"))) { if (is_equal_ignoring_case(attr.second, QLatin1String("top"))) { image->align = QQuickStyledTextImgTag::Top; diff --git a/tests/auto/quick/qquicktext/tst_qquicktext.cpp b/tests/auto/quick/qquicktext/tst_qquicktext.cpp index d6534e504c..6f37a6a01f 100644 --- a/tests/auto/quick/qquicktext/tst_qquicktext.cpp +++ b/tests/auto/quick/qquicktext/tst_qquicktext.cpp @@ -3484,6 +3484,22 @@ void tst_qquicktext::imgSize_data() << qint64(0x10000) << qint64(0x10000) << QQuickText::RichText; + QTest::newRow("out-of-bounds (styled text)") << QStringLiteral("images/starfish_2.png") + << (qint64(INT_MAX) + 1) + << (qint64(INT_MAX) + 1) + << QQuickText::StyledText; + QTest::newRow("out-of-bounds (rich text)") << QStringLiteral("images/starfish_2.png") + << (qint64(INT_MAX) + 1) + << (qint64(INT_MAX) + 1) + << QQuickText::RichText; + QTest::newRow("negative out-of-bounds (styled text)") << QStringLiteral("images/starfish_2.png") + << (qint64(INT_MIN) - 1) + << (qint64(INT_MIN) - 1) + << QQuickText::StyledText; + QTest::newRow("negative out-of-bounds (rich text)") << QStringLiteral("images/starfish_2.png") + << (qint64(INT_MIN) - 1) + << (qint64(INT_MIN) - 1) + << QQuickText::RichText; QTest::newRow("large non-existent (styled text)") << QStringLiteral("a") << qint64(0x7FFFFF) << qint64(0x7FFFFF) |