Fixed crash when parsing invalid polygons in svgs.

Kim Motoyoshi Kalland · Kim Motoyoshi Kalland · commit 4100b4240339 · 2009-12-18T10:27:59.000+01:00
Since a 2D point consists of two coordinates, it was assumed that
polygons and polylines were described with an even number of
coordinates. When the number of coordinates was odd, the program
would read out of bounds and cause an assert failure.

Task-number: QTBUG-6899
Reviewed-by: Gunnar
diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
@@ -2722,14 +2722,8 @@ static QSvgNode *createPolygonNode(QSvgNode *parent,
     const QChar *s = pointsStr.constData();
     QVector<qreal> points = parseNumbersList(s);
     QPolygonF poly(points.count()/2);
-    int i = 0;
-    QVector<qreal>::const_iterator itr = points.constBegin();
-    while (itr != points.constEnd()) {
-        qreal one = *itr; ++itr;
-        qreal two = *itr; ++itr;
-        poly[i] = QPointF(one, two);
-        ++i;
-    }
+    for (int i = 0; i < poly.size(); ++i)
+        poly[i] = QPointF(points.at(2 * i), points.at(2 * i + 1));
     QSvgNode *polygon = new QSvgPolygon(parent, poly);
     return polygon;
 }
@@ -2744,14 +2738,8 @@ static QSvgNode *createPolylineNode(QSvgNode *parent,
     const QChar *s = pointsStr.constData();
     QVector<qreal> points = parseNumbersList(s);
     QPolygonF poly(points.count()/2);
-    int i = 0;
-    QVector<qreal>::const_iterator itr = points.constBegin();
-    while (itr != points.constEnd()) {
-        qreal one = *itr; ++itr;
-        qreal two = *itr; ++itr;
-        poly[i] = QPointF(one, two);
-        ++i;
-    }
+    for (int i = 0; i < poly.size(); ++i)
+        poly[i] = QPointF(points.at(2 * i), points.at(2 * i + 1));
 
     QSvgNode *line = new QSvgPolyline(parent, poly);
     return line;
