From c4d8734c504cf0f313245befa34501e7314b4cd1 Mon Sep 17 00:00:00 2001 From: Lars Knoll Date: Tue, 25 Mar 2014 15:04:22 +0100 Subject: Avoid out of bounds memory reads when scaling images The calculation of the width/height required for the scaling algorithm was prone to floating point rounding issues, where the lower value got rounded down, the higher one rounded up. This could lead to a situation where we iterated over one more line/pixel in the line than we have in the source image. Correct this by passing the dimension of the source image into the function and bounds checking the values before iterating. Task-number: QTBUG-35927 Change-Id: If44b2235a479224660d508a0504fec40d724763a Reviewed-by: Laszlo Agocs --- src/gui/painting/qpaintengine_raster.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/gui/painting/qpaintengine_raster.cpp') diff --git a/src/gui/painting/qpaintengine_raster.cpp b/src/gui/painting/qpaintengine_raster.cpp index 67896f786d..bfcb24ae3a 100644 --- a/src/gui/painting/qpaintengine_raster.cpp +++ b/src/gui/painting/qpaintengine_raster.cpp @@ -2377,7 +2377,7 @@ void QRasterPaintEngine::drawImage(const QRectF &r, const QImage &img, const QRe SrcOverScaleFunc func = qScaleFunctions[d->rasterBuffer->format][img.format()]; if (func && (!clip || clip->hasRectClip)) { func(d->rasterBuffer->buffer(), d->rasterBuffer->bytesPerLine(), - img.bits(), img.bytesPerLine(), + img.bits(), img.bytesPerLine(), img.height(), qt_mapRect_non_normalizing(r, s->matrix), sr, !clip ? d->deviceRect : clip->clipRect, s->intOpacity); -- cgit v1.2.3