From 9bbeb7e6e8fb0fdd743b741dce61543fc4246ee2 Mon Sep 17 00:00:00 2001 From: Joni Poikelin Date: Thu, 13 Dec 2018 09:01:34 +0200 Subject: Prevent QPixmap::load from touching QPixmapCache in non-gui threads Change-Id: Ied0fec48c81298743f694f317dd60e58d356f69a Fixes: QTBUG-72523 Reviewed-by: Eirik Aavitsland --- src/gui/image/qpixmap.cpp | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'src/gui/image') diff --git a/src/gui/image/qpixmap.cpp b/src/gui/image/qpixmap.cpp index 4b2334ae52..ea6697cc39 100644 --- a/src/gui/image/qpixmap.cpp +++ b/src/gui/image/qpixmap.cpp @@ -714,8 +714,8 @@ QBitmap QPixmap::createMaskFromColor(const QColor &maskColor, Qt::MaskMode mode) control the conversion. Note that QPixmaps are automatically added to the QPixmapCache - when loaded from a file; the key used is internal and can not - be acquired. + when loaded from a file in main thread; the key used is internal + and cannot be acquired. \sa loadFromData(), {QPixmap#Reading and Writing Image Files}{Reading and Writing Image Files} @@ -729,6 +729,7 @@ bool QPixmap::load(const QString &fileName, const char *format, Qt::ImageConvers // Note: If no extension is provided, we try to match the // file against known plugin extensions if (info.completeSuffix().isEmpty() || info.exists()) { + const bool inGuiThread = qApp->thread() == QThread::currentThread(); QString key = QLatin1String("qt_pixmap") % info.absoluteFilePath() @@ -736,13 +737,14 @@ bool QPixmap::load(const QString &fileName, const char *format, Qt::ImageConvers % HexString(info.size()) % HexString(data ? data->pixelType() : QPlatformPixmap::PixmapType); - if (QPixmapCache::find(key, this)) + if (inGuiThread && QPixmapCache::find(key, this)) return true; data = QPlatformPixmap::create(0, 0, data ? data->pixelType() : QPlatformPixmap::PixmapType); if (data->fromFile(fileName, format, flags)) { - QPixmapCache::insert(key, *this); + if (inGuiThread) + QPixmapCache::insert(key, *this); return true; } } -- cgit v1.2.3 From f383fa4b9c64e319cb9b8a63ca88368ad752db27 Mon Sep 17 00:00:00 2001 From: Albert Astals Cid Date: Wed, 30 Jan 2019 01:31:30 +0100 Subject: png: initialize color_type to 0 Fixes ==12==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x6b8179 in setup_qt /src/qtbase/src/gui/image/qpnghandler.cpp:247:9 on fuzzed file Change-Id: I772d536a0db91665dc16e94751ef507de1064376 Reviewed-by: Eirik Aavitsland --- src/gui/image/qpnghandler.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/gui/image') diff --git a/src/gui/image/qpnghandler.cpp b/src/gui/image/qpnghandler.cpp index 8ae03d5d38..110ee1670b 100644 --- a/src/gui/image/qpnghandler.cpp +++ b/src/gui/image/qpnghandler.cpp @@ -234,7 +234,7 @@ void setup_qt(QImage& image, png_structp png_ptr, png_infop info_ptr, QSize scal png_uint_32 width; png_uint_32 height; int bit_depth; - int color_type; + int color_type = 0; png_bytep trans_alpha = 0; png_color_16p trans_color_p = 0; int num_trans; @@ -678,7 +678,7 @@ QImage::Format QPngHandlerPrivate::readImageFormat() { QImage::Format format = QImage::Format_Invalid; png_uint_32 width, height; - int bit_depth, color_type; + int bit_depth, color_type = 0; png_colorp palette; int num_palette; png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, 0, 0, 0); -- cgit v1.2.3 From 0bde49bd92b0d4366b91c5cdd1585e0e1fb623bc Mon Sep 17 00:00:00 2001 From: Christian Ehrlicher Date: Fri, 25 Jan 2019 22:09:46 +0100 Subject: QPictureIO::read(): don't work on dangling pointer QPictureIO::read() is using pictureFormat() when the format has to be guessed. pictureFormat() returns a QByteArray which was implicit casted into a char* and then pointed to uninitialized memory. Fix it by using a QByteArray instead a plain char*. Change-Id: If9ae286ed68134af597f0b0c779789e40f9efaed Reviewed-by: Thiago Macieira --- src/gui/image/qpicture.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/gui/image') diff --git a/src/gui/image/qpicture.cpp b/src/gui/image/qpicture.cpp index 7eede5ee26..2f2f85f68d 100644 --- a/src/gui/image/qpicture.cpp +++ b/src/gui/image/qpicture.cpp @@ -1866,7 +1866,7 @@ QList QPictureIO::outputFormats() bool QPictureIO::read() { QFile file; - const char *picture_format; + QByteArray picture_format; QPictureHandler *h; if (d->iodev) { // read from io device @@ -1882,7 +1882,7 @@ bool QPictureIO::read() if (d->frmt.isEmpty()) { // Try to guess format picture_format = pictureFormat(d->iodev); // get picture format - if (!picture_format) { + if (picture_format.isEmpty()) { if (file.isOpen()) { // unknown format file.close(); d->iodev = 0; -- cgit v1.2.3 From 50447bb7a32dcdf5070f769cb9ef26112d2f4c04 Mon Sep 17 00:00:00 2001 From: Albert Astals Cid Date: Thu, 31 Jan 2019 09:41:18 +0100 Subject: Initialize bit_depth ==12==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x6b90ea in setup_qt /src/qtbase/src/gui/image/qpnghandler.cpp:360:32 Change-Id: Idf04130e645dcf589dfb6260661be18a71b7bdc2 Reviewed-by: Eirik Aavitsland --- src/gui/image/qpnghandler.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/gui/image') diff --git a/src/gui/image/qpnghandler.cpp b/src/gui/image/qpnghandler.cpp index 110ee1670b..808037f434 100644 --- a/src/gui/image/qpnghandler.cpp +++ b/src/gui/image/qpnghandler.cpp @@ -233,7 +233,7 @@ void setup_qt(QImage& image, png_structp png_ptr, png_infop info_ptr, QSize scal png_uint_32 width; png_uint_32 height; - int bit_depth; + int bit_depth = 0; int color_type = 0; png_bytep trans_alpha = 0; png_color_16p trans_color_p = 0; @@ -678,7 +678,7 @@ QImage::Format QPngHandlerPrivate::readImageFormat() { QImage::Format format = QImage::Format_Invalid; png_uint_32 width, height; - int bit_depth, color_type = 0; + int bit_depth = 0, color_type = 0; png_colorp palette; int num_palette; png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, 0, 0, 0); -- cgit v1.2.3 From e96641d881f2106151995c812fabb9d6c58beccb Mon Sep 17 00:00:00 2001 From: Eirik Aavitsland Date: Mon, 14 Jan 2019 11:30:36 +0100 Subject: Fix xbm image format handler: properly reject invalid files The read_xbm_header() function is used to check for valid file header, containing valid width and height values. But in case of an invalid file, the check could depend on uninitialized variables. Change-Id: I9f933ed6e38d86109e5b5a8d55fe763ab928d749 Reviewed-by: Allan Sandfeld Jensen --- src/gui/image/qxbmhandler.cpp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'src/gui/image') diff --git a/src/gui/image/qxbmhandler.cpp b/src/gui/image/qxbmhandler.cpp index 24d86e116d..7ba44049b4 100644 --- a/src/gui/image/qxbmhandler.cpp +++ b/src/gui/image/qxbmhandler.cpp @@ -97,6 +97,8 @@ static bool read_xbm_header(QIODevice *device, int& w, int& h) if (r1.indexIn(sbuf) == 0 && r2.indexIn(sbuf, r1.matchedLength()) == r1.matchedLength()) w = QByteArray(&buf[r1.matchedLength()]).trimmed().toInt(); + else + return false; // "#define .._height " readBytes = device->readLine(buf, buflen); @@ -109,6 +111,8 @@ static bool read_xbm_header(QIODevice *device, int& w, int& h) if (r1.indexIn(sbuf) == 0 && r2.indexIn(sbuf, r1.matchedLength()) == r1.matchedLength()) h = QByteArray(&buf[r1.matchedLength()]).trimmed().toInt(); + else + return false; // format error if (w <= 0 || w > 32767 || h <= 0 || h > 32767) -- cgit v1.2.3