diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2020-06-23 09:50:54 +0200 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2020-06-25 08:46:04 +0200 |
commit | 177c0ef204e35938f3fef7bd7be5425d6804ec82 (patch) | |
tree | 4e42f1aaf17da75ccc7a66bb881750b6b894db7a /src/gui/painting/qpaintengine_raster.cpp | |
parent | d13b6bd496ea3c23f8787c544d60ac4124b55245 (diff) |
Avoid converting supersized QRectF to QRect
Check that the sizes are even representable when checking if clipping is
necessary.
Fixes oss-fuzz 23630
Pick-to: 5.15 5.12
Change-Id: I95d6873d28b0e4f47aae7666f7ee96b745dc997b
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
Diffstat (limited to 'src/gui/painting/qpaintengine_raster.cpp')
-rw-r--r-- | src/gui/painting/qpaintengine_raster.cpp | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/src/gui/painting/qpaintengine_raster.cpp b/src/gui/painting/qpaintengine_raster.cpp index 65315ed7cb..5123171fff 100644 --- a/src/gui/painting/qpaintengine_raster.cpp +++ b/src/gui/painting/qpaintengine_raster.cpp @@ -1782,9 +1782,9 @@ void QRasterPaintEngine::fill(const QVectorPath &path, const QBrush &brush) // ### Optimize for non transformed ellipses and rectangles... QRectF cpRect = path.controlPointRect(); - const QRect pathDeviceRect = s->matrix.mapRect(cpRect).toRect(); + const QRectF pathDeviceRect = s->matrix.mapRect(cpRect); // Skip paths that by conservative estimates are completely outside the paint device. - if (!pathDeviceRect.intersects(d->deviceRect)) + if (!pathDeviceRect.intersects(QRectF(d->deviceRect))) return; ProcessSpans blend = d->getBrushFunc(pathDeviceRect, &s->brushData); @@ -3043,7 +3043,12 @@ bool QRasterPaintEnginePrivate::isUnclipped(const QRect &rect, inline bool QRasterPaintEnginePrivate::isUnclipped(const QRectF &rect, int penWidth) const { - return isUnclipped(rect.normalized().toAlignedRect(), penWidth); + const QRectF norm = rect.normalized(); + if (norm.left() < INT_MIN || norm.top() < INT_MIN + || norm.right() > INT_MAX || norm.bottom() > INT_MAX + || norm.width() > INT_MAX || norm.height() > INT_MAX) + return false; + return isUnclipped(norm.toAlignedRect(), penWidth); } inline ProcessSpans |