From 7473317b52dbc15878d81291faa33f21c20d6ec6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20L=C3=B6hning?= <robert.loehning@qt.io>
Date: Tue, 6 Apr 2021 19:59:48 +0200
Subject: [PATCH] QTextHtmlParserNode: Limit colspan to avoid segfault

This fixes oss-fuzz issue 29758.

[ChangeLog][QtGui][Text] QTextDocument::setHtml: column spans are
limited to 20480, an arbitrarily high but reasonable value.


Fixes: QTBUG-92463
Pick-to: 5.15 6.0 6.1
Change-Id: Ib759e3e3ac0b0d0d483f8e8ce11002e079db3ace
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
---
 src/gui/text/qtexthtmlparser.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/gui/text/qtexthtmlparser.cpp b/src/gui/text/qtexthtmlparser.cpp
index ed1c6d97f63..a242d5e6459 100644
--- a/src/gui/text/qtexthtmlparser.cpp
+++ b/src/gui/text/qtexthtmlparser.cpp
@@ -1670,7 +1670,7 @@ void QTextHtmlParser::applyAttributes(const QStringList &attributes)
                         node->tableCellRowSpan = qMax(1, node->tableCellRowSpan);
                 } else if (key == QLatin1String("colspan")) {
                     if (setIntAttribute(&node->tableCellColSpan, value))
-                        node->tableCellColSpan = qMax(1, node->tableCellColSpan);
+                        node->tableCellColSpan = qBound(1, node->tableCellColSpan, 20480);
                 }
                 break;
             case Html_table: