From 8c199714e9bc638fb3f6ec747fb7a23373e49335 Mon Sep 17 00:00:00 2001
From: Eirik Aavitsland <eirik.aavitsland@qt.io>
Date: Mon, 9 Jul 2018 10:45:22 +0200
Subject: [PATCH] Fix crash when parsing malformed url reference

The parsing did not check for end of input.

Change-Id: I56a478877d242146395977b767511425d2b8ced1
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
---
 src/svg/qsvghandler.cpp                      | 11 +++++----
 tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp | 26 ++++++++++++++++++++
 2 files changed, 32 insertions(+), 5 deletions(-)

--- a/src/svg/qsvghandler.cpp
+++ b/src/svg/qsvghandler.cpp
@@ -746,16 +746,17 @@
 static QString idFromUrl(const QString &url)
 {
     QString::const_iterator itr = url.constBegin();
-    while ((*itr).isSpace())
+    QString::const_iterator end = url.constEnd();
+    while (itr != end && (*itr).isSpace())
         ++itr;
-    if ((*itr) == QLatin1Char('('))
+    if (itr != end && (*itr) == QLatin1Char('('))
         ++itr;
-    while ((*itr).isSpace())
+    while (itr != end && (*itr).isSpace())
         ++itr;
-    if ((*itr) == QLatin1Char('#'))
+    if (itr != end && (*itr) == QLatin1Char('#'))
         ++itr;
     QString id;
-    while ((*itr) != QLatin1Char(')')) {
+    while (itr != end && (*itr) != QLatin1Char(')')) {
         id += *itr;
         ++itr;
     }