diff options
| author | Samuel Rodal <samuel.rodal@digia.com> | 2013-04-19 17:06:14 +0100 |
|---|---|---|
| committer | The Qt Project <gerrit-noreply@qt-project.org> | 2013-04-22 17:29:32 +0200 |
| commit | ea1521a490e6e6c2830eb8e072e80c554a91a439 (patch) | |
| tree | c82fc5775be64aa25d120ff305c9adb54d083f3d | |
| parent | 3e4c589d2f067482e5c46180b48bc7a94a96c4e6 (diff) | |
Fixed invalid memory read in SSSE3 image blending code.
We need to do bounds comparison on the actual offset we're going to use
with _mm_load_si128 to read 16 bytes from memory (even though we won't
use the trailing bytes in the end).
Task-number: QTBUG-28324
(cherry-picked from qtbase commit 52619ae7787b3c4febb73a02afa623b12edabc97)
Change-Id: I705ae191312e5ffe25e45caea71ada73ec97f68d
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
| -rw-r--r-- | src/gui/painting/qdrawhelper_ssse3.cpp | 2 | ||||
| -rw-r--r-- | tests/auto/qpainter/tst_qpainter.cpp | 20 |
2 files changed, 21 insertions, 1 deletions
diff --git a/src/gui/painting/qdrawhelper_ssse3.cpp b/src/gui/painting/qdrawhelper_ssse3.cpp index 33d436ac22..0c888506be 100644 --- a/src/gui/painting/qdrawhelper_ssse3.cpp +++ b/src/gui/painting/qdrawhelper_ssse3.cpp @@ -60,7 +60,7 @@ inline static void blend_pixel(quint32 &dst, const quint32 src) shift (4, 8, 12). Checking the alignment inside the loop is unfortunatelly way too slow. */ #define BLENDING_LOOP(palignrOffset, length)\ - for (; x < length-3; x += 4) { \ + for (; x-minusOffsetToAlignSrcOn16Bytes < length-7; x += 4) { \ const __m128i srcVectorLastLoaded = _mm_load_si128((__m128i *)&src[x - minusOffsetToAlignSrcOn16Bytes + 4]);\ const __m128i srcVector = _mm_alignr_epi8(srcVectorLastLoaded, srcVectorPrevLoaded, palignrOffset); \ const __m128i srcVectorAlpha = _mm_and_si128(srcVector, alphaMask); \ diff --git a/tests/auto/qpainter/tst_qpainter.cpp b/tests/auto/qpainter/tst_qpainter.cpp index e224522232..f073f709e8 100644 --- a/tests/auto/qpainter/tst_qpainter.cpp +++ b/tests/auto/qpainter/tst_qpainter.cpp @@ -223,6 +223,7 @@ private slots: void drawImage_task217400(); void drawImage_1x1(); void drawImage_task258776(); + void drawImage_QTBUG28324(); void drawRect_task215378(); void drawRect_task247505(); @@ -3672,6 +3673,25 @@ void tst_QPainter::drawImage_task258776() QCOMPARE(dest, expected); } +void tst_QPainter::drawImage_QTBUG28324() +{ + QImage dest(512, 512, QImage::Format_ARGB32_Premultiplied); + dest.fill(0x0); + + int x = 263; int y = 89; int w = 61; int h = 39; + + QImage source(w, h, QImage::Format_ARGB32_Premultiplied); + quint32 *b = (quint32 *)source.bits(); + for (int j = 0; j < w * h; ++j) + b[j] = 0x7f7f7f7f; + + // nothing to test here since the bug is about + // an invalid memory read, which valgrind + // would complain about + QPainter p(&dest); + p.drawImage(x, y, source); +} + void tst_QPainter::clipRectSaveRestore() { QImage img(64, 64, QImage::Format_ARGB32_Premultiplied); |