Avoid converting supersized QRectF to QRect

Check that the sizes are even representable when checking if clipping is necessary. Fixes oss-fuzz 23630 Pick-to: 5.15 5.12 Change-Id: I95d6873d28b0e4f47aae7666f7ee96b745dc997b Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2020-06-23 09:50:54 +0200
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2020-06-25 08:46:04 +0200
commit: 177c0ef204e35938f3fef7bd7be5425d6804ec82 (patch)
tree: 4e42f1aaf17da75ccc7a66bb881750b6b894db7a
parent: d13b6bd496ea3c23f8787c544d60ac4124b55245 (diff)
1 files changed, 8 insertions, 3 deletions
diff --git a/src/gui/painting/qpaintengine_raster.cpp b/src/gui/painting/qpaintengine_raster.cpp
index 65315ed7cb..5123171fff 100644
--- a/src/gui/painting/qpaintengine_raster.cpp
+++ b/src/gui/painting/qpaintengine_raster.cpp
@@ -1782,9 +1782,9 @@ void QRasterPaintEngine::fill(const QVectorPath &path, const QBrush &brush)
 
     // ### Optimize for non transformed ellipses and rectangles...
     QRectF cpRect = path.controlPointRect();
-    const QRect pathDeviceRect = s->matrix.mapRect(cpRect).toRect();
+    const QRectF pathDeviceRect = s->matrix.mapRect(cpRect);
     // Skip paths that by conservative estimates are completely outside the paint device.
-    if (!pathDeviceRect.intersects(d->deviceRect))
+    if (!pathDeviceRect.intersects(QRectF(d->deviceRect)))
         return;
 
     ProcessSpans blend = d->getBrushFunc(pathDeviceRect, &s->brushData);
@@ -3043,7 +3043,12 @@ bool QRasterPaintEnginePrivate::isUnclipped(const QRect &rect,
 inline bool QRasterPaintEnginePrivate::isUnclipped(const QRectF &rect,
                                                    int penWidth) const
 {
-    return isUnclipped(rect.normalized().toAlignedRect(), penWidth);
+    const QRectF norm = rect.normalized();
+    if (norm.left() < INT_MIN || norm.top() < INT_MIN
+            || norm.right() > INT_MAX || norm.bottom() > INT_MAX
+            || norm.width() > INT_MAX || norm.height() > INT_MAX)
+        return false;
+    return isUnclipped(norm.toAlignedRect(), penWidth);
 }
 
 inline ProcessSpans
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2020-06-23 09:50:54 +0200
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2020-06-25 08:46:04 +0200
commit	177c0ef204e35938f3fef7bd7be5425d6804ec82 (patch)
tree	4e42f1aaf17da75ccc7a66bb881750b6b894db7a
parent	d13b6bd496ea3c23f8787c544d60ac4124b55245 (diff)