summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSamuel Rødal <samuel.rodal@digia.com>2013-02-25 09:58:34 +0100
committerThe Qt Project <gerrit-noreply@qt-project.org>2013-04-22 07:46:42 +0200
commit3e4c589d2f067482e5c46180b48bc7a94a96c4e6 (patch)
treefe4087c696fdd3a16d6616227d5d02181ce85e12
parentb82b8bfa811adcf11cb8d07d662fd2b9642deebc (diff)
Fixed potential access violation in QPixmap::copy() for <32 bit pixmaps.
QImage is supposed to maintain the invariant that each scan-line begins on a 4-byte boundary, so we need to verify that this is the case before using the optimized path of short-cutting QImage::copy() by referencing the source image's bits directly. Task-number: QTBUG-14766 Change-Id: I0a178aeb2f34cc64f98deae9470b55b5c53fcb06 Reviewed-by: Gunnar Sletta <gunnar.sletta@digia.com> (cherry picked from commit 711773776ed324efce7f1ed227104da9c7e21e05) Reviewed-by: aavit <eirik.aavitsland@digia.com>
-rw-r--r--src/gui/image/qpixmap_raster.cpp5
-rw-r--r--tests/auto/qpixmap/tst_qpixmap.cpp10
2 files changed, 13 insertions, 2 deletions
diff --git a/src/gui/image/qpixmap_raster.cpp b/src/gui/image/qpixmap_raster.cpp
index 8dedfba550..8ee982c134 100644
--- a/src/gui/image/qpixmap_raster.cpp
+++ b/src/gui/image/qpixmap_raster.cpp
@@ -330,8 +330,9 @@ QImage QRasterPixmapData::toImage(const QRect &rect) const
return image;
QRect clipped = rect.intersected(QRect(0, 0, w, h));
- if (d % 8 == 0)
- return QImage(image.scanLine(clipped.y()) + clipped.x() * (d / 8),
+ const uint du = uint(d);
+ if ((du % 8 == 0) && (((uint(clipped.x()) * du)) % 32 == 0))
+ return QImage(image.scanLine(clipped.y()) + clipped.x() * (du / 8),
clipped.width(), clipped.height(),
image.bytesPerLine(), image.format());
else
diff --git a/tests/auto/qpixmap/tst_qpixmap.cpp b/tests/auto/qpixmap/tst_qpixmap.cpp
index d22cc8685b..9fb5f41253 100644
--- a/tests/auto/qpixmap/tst_qpixmap.cpp
+++ b/tests/auto/qpixmap/tst_qpixmap.cpp
@@ -199,6 +199,8 @@ private slots:
void drawPixmapWhilePainterOpen();
void scaled_QTBUG19157();
+
+ void copyOnNonAlignedBoundary();
};
static bool lenientCompare(const QPixmap &actual, const QPixmap &expected)
@@ -1966,5 +1968,13 @@ void tst_QPixmap::scaled_QTBUG19157()
QVERIFY(!foo.isNull());
}
+void tst_QPixmap::copyOnNonAlignedBoundary()
+{
+ QImage img(8, 2, QImage::Format_RGB16);
+
+ QPixmap pm1 = QPixmap::fromImage(img, Qt::NoFormatConversion);
+ QPixmap pm2 = pm1.copy(QRect(5, 0, 3, 2)); // When copying second line: 2 bytes too many are read which might cause an access violation.
+}
+
QTEST_MAIN(tst_QPixmap)
#include "tst_qpixmap.moc"