From fb7ef2b9f5cbc375fb35690326501be6a117314d Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@kdab.com>
Date: Sun, 6 Mar 2016 15:06:48 +0100
Subject: QCosmeticStroker: fix out-of-bounds access in drawPixel()

Found by UBSan:

  src/gui/painting/qcosmeticstroker.cpp:150:55: runtime error: index -1 out of bounds for type 'QT_FT_Span_ [255]'
  src/gui/painting/qcosmeticstroker.cpp:150:99: runtime error: index -1 out of bounds for type 'QT_FT_Span_ [255]'
  src/gui/painting/qcosmeticstroker.cpp:151:55: runtime error: index -1 out of bounds for type 'QT_FT_Span_ [255]'

That code path makes no sense if no span has been populated
yet, so skip the whole block if current_span == 0.

Change-Id: I832b989e89c118dc48ab5add3a28bb44c1936a76
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@theqtcompany.com>
---
 src/gui/painting/qcosmeticstroker.cpp | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

(limited to 'src/gui/painting/qcosmeticstroker.cpp')

diff --git a/src/gui/painting/qcosmeticstroker.cpp b/src/gui/painting/qcosmeticstroker.cpp
index 8c3fd2ce4f..b310336b9b 100644
--- a/src/gui/painting/qcosmeticstroker.cpp
+++ b/src/gui/painting/qcosmeticstroker.cpp
@@ -141,12 +141,14 @@ inline void drawPixel(QCosmeticStroker *stroker, int x, int y, int coverage)
     if (x < cl.x() || x > cl.right() || y < cl.y() || y > cl.bottom())
         return;
 
-    int lastx = stroker->spans[stroker->current_span-1].x + stroker->spans[stroker->current_span-1].len ;
-    int lasty = stroker->spans[stroker->current_span-1].y;
+    if (stroker->current_span > 0) {
+        const int lastx = stroker->spans[stroker->current_span-1].x + stroker->spans[stroker->current_span-1].len ;
+        const int lasty = stroker->spans[stroker->current_span-1].y;
 
-    if (stroker->current_span == QCosmeticStroker::NSPANS || y < lasty || (y == lasty && x < lastx)) {
-        stroker->blend(stroker->current_span, stroker->spans, &stroker->state->penData);
-        stroker->current_span = 0;
+        if (stroker->current_span == QCosmeticStroker::NSPANS || y < lasty || (y == lasty && x < lastx)) {
+            stroker->blend(stroker->current_span, stroker->spans, &stroker->state->penData);
+            stroker->current_span = 0;
+        }
     }
 
     stroker->spans[stroker->current_span].x = ushort(x);
-- 
cgit v1.2.3