From 3e4c589d2f067482e5c46180b48bc7a94a96c4e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Samuel=20R=C3=B8dal?= Date: Mon, 25 Feb 2013 09:58:34 +0100 Subject: Fixed potential access violation in QPixmap::copy() for <32 bit pixmaps. QImage is supposed to maintain the invariant that each scan-line begins on a 4-byte boundary, so we need to verify that this is the case before using the optimized path of short-cutting QImage::copy() by referencing the source image's bits directly. Task-number: QTBUG-14766 Change-Id: I0a178aeb2f34cc64f98deae9470b55b5c53fcb06 Reviewed-by: Gunnar Sletta (cherry picked from commit 711773776ed324efce7f1ed227104da9c7e21e05) Reviewed-by: aavit --- src/gui/image/qpixmap_raster.cpp | 5 +++-- tests/auto/qpixmap/tst_qpixmap.cpp | 10 ++++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/src/gui/image/qpixmap_raster.cpp b/src/gui/image/qpixmap_raster.cpp index 8dedfba550..8ee982c134 100644 --- a/src/gui/image/qpixmap_raster.cpp +++ b/src/gui/image/qpixmap_raster.cpp @@ -330,8 +330,9 @@ QImage QRasterPixmapData::toImage(const QRect &rect) const return image; QRect clipped = rect.intersected(QRect(0, 0, w, h)); - if (d % 8 == 0) - return QImage(image.scanLine(clipped.y()) + clipped.x() * (d / 8), + const uint du = uint(d); + if ((du % 8 == 0) && (((uint(clipped.x()) * du)) % 32 == 0)) + return QImage(image.scanLine(clipped.y()) + clipped.x() * (du / 8), clipped.width(), clipped.height(), image.bytesPerLine(), image.format()); else diff --git a/tests/auto/qpixmap/tst_qpixmap.cpp b/tests/auto/qpixmap/tst_qpixmap.cpp index d22cc8685b..9fb5f41253 100644 --- a/tests/auto/qpixmap/tst_qpixmap.cpp +++ b/tests/auto/qpixmap/tst_qpixmap.cpp @@ -199,6 +199,8 @@ private slots: void drawPixmapWhilePainterOpen(); void scaled_QTBUG19157(); + + void copyOnNonAlignedBoundary(); }; static bool lenientCompare(const QPixmap &actual, const QPixmap &expected) @@ -1966,5 +1968,13 @@ void tst_QPixmap::scaled_QTBUG19157() QVERIFY(!foo.isNull()); } +void tst_QPixmap::copyOnNonAlignedBoundary() +{ + QImage img(8, 2, QImage::Format_RGB16); + + QPixmap pm1 = QPixmap::fromImage(img, Qt::NoFormatConversion); + QPixmap pm2 = pm1.copy(QRect(5, 0, 3, 2)); // When copying second line: 2 bytes too many are read which might cause an access violation. +} + QTEST_MAIN(tst_QPixmap) #include "tst_qpixmap.moc" -- cgit v1.2.3