Avoid of bounds memory reads when scaling and mirroring images

The bounds check we had wasn't complete for mirroring cases. Task-number: QTBUG-65387 Change-Id: I5333912621c1223f83b4f1b95f2b16d12b520bd2 Reviewed-by: Lars Knoll <lars.knoll@qt.io> Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io> (cherry picked from commit 1d616e764d33da1d3435ae8ee366f6ea8af71787)
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2018-03-22 15:35:34 +0100
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2018-03-23 15:17:30 +0000
commit: 602fd9eb7e58552fd5b10a96c457fba33c4eff8e (patch)
tree: 5624381f4efb695011acee86da98edcc878c4464
parent: 6920e4c22a92dbc5f73cb192f538640505fb78ca (diff)
2 files changed, 30 insertions, 0 deletions
diff --git a/src/gui/painting/qblendfunctions_p.h b/src/gui/painting/qblendfunctions_p.h
index 167f725143..dc7a4dfe8c 100644
--- a/src/gui/painting/qblendfunctions_p.h
+++ b/src/gui/painting/qblendfunctions_p.h
@@ -137,6 +137,16 @@ void qt_scale_image_16bit(uchar *destPixels, int dbpl,
 
     // this bounds check here is required as floating point rounding above might in some cases lead to
     // w/h values that are one pixel too large, falling outside of the valid image area.
+    const int ystart = srcy >> 16;
+    if (ystart >= srch && iy < 0) {
+        srcy += iy;
+        --h;
+    }
+    const int xstart = basex >> 16;
+    if (xstart >=  (int)(sbpl/sizeof(SRC)) && ix < 0) {
+        basex += ix;
+        --w;
+    }
     int yend = (srcy + iy * (h - 1)) >> 16;
     if (yend < 0 || yend >= srch)
         --h;
@@ -248,6 +258,16 @@ template <typename T> void qt_scale_image_32bit(uchar *destPixels, int dbpl,
 
     // this bounds check here is required as floating point rounding above might in some cases lead to
     // w/h values that are one pixel too large, falling outside of the valid image area.
+    const int ystart = srcy >> 16;
+    if (ystart >= srch && iy < 0) {
+        srcy += iy;
+        --h;
+    }
+    const int xstart = basex >> 16;
+    if (xstart >=  (int)(sbpl/sizeof(quint32)) && ix < 0) {
+        basex += ix;
+        --w;
+    }
     int yend = (srcy + iy * (h - 1)) >> 16;
     if (yend < 0 || yend >= srch)
         --h;
diff --git a/src/gui/painting/qdrawhelper_sse2.cpp b/src/gui/painting/qdrawhelper_sse2.cpp
index 3013d2cf3e..5307b6cbc5 100644
--- a/src/gui/painting/qdrawhelper_sse2.cpp
+++ b/src/gui/painting/qdrawhelper_sse2.cpp
@@ -558,6 +558,16 @@ void qt_scale_image_argb32_on_argb32_sse2(uchar *destPixels, int dbpl,
 
     // this bounds check here is required as floating point rounding above might in some cases lead to
     // w/h values that are one pixel too large, falling outside of the valid image area.
+    const int ystart = srcy >> 16;
+    if (ystart >= srch && iy < 0) {
+        srcy += iy;
+        --h;
+    }
+    const int xstart = basex >> 16;
+    if (xstart >=  (int)(sbpl/sizeof(quint32)) && ix < 0) {
+        basex += ix;
+        --w;
+    }
     int yend = (srcy + iy * (h - 1)) >> 16;
     if (yend < 0 || yend >= srch)
         --h;
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2018-03-22 15:35:34 +0100
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2018-03-23 15:17:30 +0000
commit	602fd9eb7e58552fd5b10a96c457fba33c4eff8e (patch)
tree	5624381f4efb695011acee86da98edcc878c4464
parent	6920e4c22a92dbc5f73cb192f538640505fb78ca (diff)