From 1d616e764d33da1d3435ae8ee366f6ea8af71787 Mon Sep 17 00:00:00 2001 From: Allan Sandfeld Jensen Date: Thu, 22 Mar 2018 15:35:34 +0100 Subject: Avoid of bounds memory reads when scaling and mirroring images The bounds check we had wasn't complete for mirroring cases. Task-number: QTBUG-65387 Change-Id: I5333912621c1223f83b4f1b95f2b16d12b520bd2 Reviewed-by: Lars Knoll Reviewed-by: Eirik Aavitsland --- src/gui/painting/qblendfunctions_p.h | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'src/gui/painting/qblendfunctions_p.h') diff --git a/src/gui/painting/qblendfunctions_p.h b/src/gui/painting/qblendfunctions_p.h index 167f725143..dc7a4dfe8c 100644 --- a/src/gui/painting/qblendfunctions_p.h +++ b/src/gui/painting/qblendfunctions_p.h @@ -137,6 +137,16 @@ void qt_scale_image_16bit(uchar *destPixels, int dbpl, // this bounds check here is required as floating point rounding above might in some cases lead to // w/h values that are one pixel too large, falling outside of the valid image area. + const int ystart = srcy >> 16; + if (ystart >= srch && iy < 0) { + srcy += iy; + --h; + } + const int xstart = basex >> 16; + if (xstart >= (int)(sbpl/sizeof(SRC)) && ix < 0) { + basex += ix; + --w; + } int yend = (srcy + iy * (h - 1)) >> 16; if (yend < 0 || yend >= srch) --h; @@ -248,6 +258,16 @@ template void qt_scale_image_32bit(uchar *destPixels, int dbpl, // this bounds check here is required as floating point rounding above might in some cases lead to // w/h values that are one pixel too large, falling outside of the valid image area. + const int ystart = srcy >> 16; + if (ystart >= srch && iy < 0) { + srcy += iy; + --h; + } + const int xstart = basex >> 16; + if (xstart >= (int)(sbpl/sizeof(quint32)) && ix < 0) { + basex += ix; + --w; + } int yend = (srcy + iy * (h - 1)) >> 16; if (yend < 0 || yend >= srch) --h; -- cgit v1.2.3