From 93243b5d6a6726087aeec387366ca699cad4e31c Mon Sep 17 00:00:00 2001 From: Eirik Aavitsland Date: Mon, 1 Feb 2021 09:47:53 +0100 Subject: Avoid int overflow in gradient drawing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes oss-fuzz 29348 Pick-to: 6.0 5.15 Change-Id: I3568a0a7a7e8d87881f5b052c6c00831b53b3842 Reviewed-by: Allan Sandfeld Jensen Reviewed-by: Robert Löhning --- src/gui/painting/qdrawhelper.cpp | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'src/gui/painting/qdrawhelper.cpp') diff --git a/src/gui/painting/qdrawhelper.cpp b/src/gui/painting/qdrawhelper.cpp index 355ad30288..61963a5e61 100644 --- a/src/gui/painting/qdrawhelper.cpp +++ b/src/gui/painting/qdrawhelper.cpp @@ -2407,6 +2407,7 @@ static inline SourceFetchProc64 getSourceFetch64(TextureBlendType blendType, QIm #define FIXPT_BITS 8 #define FIXPT_SIZE (1<> (FIXPT_BITS + 1)) static uint qt_gradient_pixel_fixed(const QGradientData *data, int fixed_pos) { @@ -2503,10 +2504,12 @@ static inline const BlendType * QT_FASTCALL qt_fetch_linear_gradient_template( const BlendType *end = buffer + length; if (affine) { if (inc > qreal(-1e-5) && inc < qreal(1e-5)) { - GradientBase::memfill(buffer, GradientBase::fetchSingle(data->gradient, int(t * FIXPT_SIZE)), length); + if (std::abs(t) < FIXPT_MAX) + GradientBase::memfill(buffer, GradientBase::fetchSingle(data->gradient, int(t * FIXPT_SIZE)), length); + else + GradientBase::memfill(buffer, GradientBase::fetchSingle(data->gradient, t / GRADIENT_STOPTABLE_SIZE), length); } else { - if (t+inc*length < qreal(INT_MAX >> (FIXPT_BITS + 1)) && - t+inc*length > qreal(INT_MIN >> (FIXPT_BITS + 1))) { + if (std::abs(t) < FIXPT_MAX && std::abs(inc) < FIXPT_MAX && std::abs(t + inc * length) < FIXPT_MAX) { // we can use fixed point math int t_fixed = int(t * FIXPT_SIZE); int inc_fixed = int(inc * FIXPT_SIZE); -- cgit v1.2.3