From 1adc586abda245c9caf78a929fd96917532f44a3 Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@kdab.com>
Date: Fri, 29 Aug 2014 22:27:00 +0200
Subject: QBrush: be more robust in detach()

If detach() was called with a newStyle corresponding to a gradient,
but with d->style not a gradient, it would execute an invalid cast
and read invalid memory.

The reason this has not been seen in practice is that a non-gradient
brush instance can currently never become a gradient one. But that
may change when someone adds an operator=(QGradient), so in the
interest of robust code, add a check to verify the old style was a
gradient before accessing the corresponding member.

Change-Id: I216a144d31a9ed7145bcd829f3ae5f44a41672db
Reviewed-by: Gunnar Sletta <gunnar@sletta.org>
---
 src/gui/painting/qbrush.cpp | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'src/gui/painting/qbrush.cpp')

diff --git a/src/gui/painting/qbrush.cpp b/src/gui/painting/qbrush.cpp
index eca2860ab9..d120175108 100644
--- a/src/gui/painting/qbrush.cpp
+++ b/src/gui/painting/qbrush.cpp
@@ -596,8 +596,16 @@ void QBrush::detach(Qt::BrushStyle newStyle)
     case Qt::RadialGradientPattern:
     case Qt::ConicalGradientPattern:
         x.reset(new QGradientBrushData);
-        static_cast<QGradientBrushData *>(x.data())->gradient =
-            static_cast<QGradientBrushData *>(d.data())->gradient;
+        switch (d->style) {
+        case Qt::LinearGradientPattern:
+        case Qt::RadialGradientPattern:
+        case Qt::ConicalGradientPattern:
+            static_cast<QGradientBrushData *>(x.data())->gradient =
+                    static_cast<QGradientBrushData *>(d.data())->gradient;
+            break;
+        default:
+            break;
+        }
         break;
     default:
         x.reset(new QBrushData);
-- 
cgit v1.2.3