From 1ba2f6b2d2e67790dfb01abbe933a7143a9d1207 Mon Sep 17 00:00:00 2001 From: Allan Sandfeld Jensen Date: Mon, 23 Nov 2020 11:54:48 +0100 Subject: Avoid integer overflow and division by zero Restrain patterns to sensible lengths and values. [ChangeLog][QCosmeticStroker] Pen patterns are restrained to a maximum length and values of 1024, fixing oss-fuzz issue 25310. Change-Id: If062f8336ff5ad113258391b0d70b8ac6f42c4b3 Reviewed-by: Robert Loehning Reviewed-by: Eirik Aavitsland (cherry picked from commit 1ff25785ff93d0bd3d597e3a65a261bdbfa13c3b) Reviewed-by: Qt Cherry-pick Bot --- src/gui/painting/qcosmeticstroker.cpp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/gui/painting/qcosmeticstroker.cpp b/src/gui/painting/qcosmeticstroker.cpp index 168e493b41..433fadaa46 100644 --- a/src/gui/painting/qcosmeticstroker.cpp +++ b/src/gui/painting/qcosmeticstroker.cpp @@ -260,7 +260,7 @@ void QCosmeticStroker::setup() strokeSelection |= AntiAliased; const QList &penPattern = state->lastPen.dashPattern(); - if (penPattern.isEmpty()) { + if (penPattern.isEmpty() || penPattern.size() > 1024) { Q_ASSERT(!pattern && !reversePattern); pattern = nullptr; reversePattern = nullptr; @@ -273,12 +273,12 @@ void QCosmeticStroker::setup() patternLength = 0; for (int i = 0; i < patternSize; ++i) { - patternLength += (int) qMax(1. , penPattern.at(i)*64.); + patternLength += (int)qBound(1., penPattern.at(i) * 64, 65536.); pattern[i] = patternLength; } patternLength = 0; for (int i = 0; i < patternSize; ++i) { - patternLength += (int) qMax(1., penPattern.at(patternSize - 1 - i)*64.); + patternLength += (int)qBound(1., penPattern.at(patternSize - 1 - i) * 64, 65536.); reversePattern[i] = patternLength; } strokeSelection |= Dashed; -- cgit v1.2.3