Prevent crash due to giving QWidget::update() a large region.

Similar to what change a298216bb4383dbe96 does for update(QRect) we clip
the update region against the widget's rect and return if it's empty.
Otherwise we risk ending up with update rects that are larger than
INT_MAX due to multiple update rects being merged.

Task-number: QTBUG-30876
Change-Id: Idf695b1fdca50449a1e5ddf37500653de290590c
Reviewed-by: Gunnar Sletta <gunnar.sletta@digia.com>

1 files changed, 9 insertions, 4 deletions

diff --git a/src/widgets/kernel/qwidget.cpp b/src/widgets/kernel/qwidget.cpp
index cb7761add7..0e868091fc 100644
--- a/src/widgets/kernel/qwidget.cpp
+++ b/src/widgets/kernel/qwidget.cpp
@@ -9909,11 +9909,16 @@ void QWidget::update(const QRect &rect)
 */
 void QWidget::update(const QRegion &rgn)
 {
-    if (!isVisible() || !updatesEnabled() || rgn.isEmpty())
+    if (!isVisible() || !updatesEnabled())
+        return;
+
+    QRegion r = rgn & QWidget::rect();
+
+    if (r.isEmpty())
         return;
 
     if (testAttribute(Qt::WA_WState_InPaintEvent)) {
-        QApplication::postEvent(this, new QUpdateLaterEvent(rgn));
+        QApplication::postEvent(this, new QUpdateLaterEvent(r));
         return;
     }
 
@@ -9926,9 +9931,9 @@ void QWidget::update(const QRegion &rgn)
 #endif // Q_WS_MAC
         QTLWExtra *tlwExtra = window()->d_func()->maybeTopData();
         if (tlwExtra && !tlwExtra->inTopLevelResize && tlwExtra->backingStore)
-            tlwExtra->backingStoreTracker->markDirty(rgn, this);
+            tlwExtra->backingStoreTracker->markDirty(r, this);
     } else {
-        d_func()->repaint_sys(rgn);
+        d_func()->repaint_sys(r);
     }
 }