diff options
author | Samuel Rødal <samuel.rodal@digia.com> | 2013-02-25 09:58:34 +0100 |
---|---|---|
committer | The Qt Project <gerrit-noreply@qt-project.org> | 2013-03-06 15:00:35 +0100 |
commit | 711773776ed324efce7f1ed227104da9c7e21e05 (patch) | |
tree | b7cdbba920e48d8ea4e34d7d25a3a4fcfadafd51 | |
parent | 7ee4ab14636ee39670b5b25c3afa90009665eede (diff) |
Fixed potential access violation in QPixmap::copy() for <32 bit pixmaps.
QImage is supposed to maintain the invariant that each scan-line begins
on a 4-byte boundary, so we need to verify that this is the case before
using the optimized path of short-cutting QImage::copy() by referencing
the source image's bits directly.
Task-number: QTBUG-14766
Change-Id: I0a178aeb2f34cc64f98deae9470b55b5c53fcb06
Reviewed-by: Gunnar Sletta <gunnar.sletta@digia.com>
-rw-r--r-- | src/gui/image/qpixmap_raster.cpp | 5 | ||||
-rw-r--r-- | tests/auto/gui/image/qpixmap/tst_qpixmap.cpp | 10 |
2 files changed, 13 insertions, 2 deletions
diff --git a/src/gui/image/qpixmap_raster.cpp b/src/gui/image/qpixmap_raster.cpp index f0cb69f3ec..f8fef9cada 100644 --- a/src/gui/image/qpixmap_raster.cpp +++ b/src/gui/image/qpixmap_raster.cpp @@ -239,8 +239,9 @@ QImage QRasterPlatformPixmap::toImage(const QRect &rect) const return image; QRect clipped = rect.intersected(QRect(0, 0, w, h)); - if (d % 8 == 0) - return QImage(image.scanLine(clipped.y()) + clipped.x() * (d / 8), + const uint du = uint(d); + if ((du % 8 == 0) && (((uint(clipped.x()) * du)) % 32 == 0)) + return QImage(image.scanLine(clipped.y()) + clipped.x() * (du / 8), clipped.width(), clipped.height(), image.bytesPerLine(), image.format()); else diff --git a/tests/auto/gui/image/qpixmap/tst_qpixmap.cpp b/tests/auto/gui/image/qpixmap/tst_qpixmap.cpp index f5298a1690..61f53a5073 100644 --- a/tests/auto/gui/image/qpixmap/tst_qpixmap.cpp +++ b/tests/auto/gui/image/qpixmap/tst_qpixmap.cpp @@ -167,6 +167,8 @@ private slots: void scaled_QTBUG19157(); void detachOnLoad_QTBUG29639(); + + void copyOnNonAlignedBoundary(); }; static bool lenientCompare(const QPixmap &actual, const QPixmap &expected) @@ -1503,5 +1505,13 @@ void tst_QPixmap::detachOnLoad_QTBUG29639() QVERIFY(a.toImage() != b.toImage()); } +void tst_QPixmap::copyOnNonAlignedBoundary() +{ + QImage img(8, 2, QImage::Format_RGB16); + + QPixmap pm1 = QPixmap::fromImage(img, Qt::NoFormatConversion); + QPixmap pm2 = pm1.copy(QRect(5, 0, 3, 2)); // When copying second line: 2 bytes too many are read which might cause an access violation. +} + QTEST_MAIN(tst_QPixmap) #include "tst_qpixmap.moc" |