From 9fbce8d5cbcc9d8d255328d6ec040db0510ca289 Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Mon, 10 Dec 2018 11:06:26 +0100
Subject: Avoid crash in blitting or fast draw when QPointF is too big

Change-Id: I88182d5d95fda15d33836f16dee78167685b3765
Fixes: QTBUG-72392
Reviewed-by: Friedemann Kleint <Friedemann.Kleint@qt.io>
Reviewed-by: Tim Jenssen <tim.jenssen@qt.io>
---
 src/gui/painting/qpaintengine_raster.cpp | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'src/gui/painting')

diff --git a/src/gui/painting/qpaintengine_raster.cpp b/src/gui/painting/qpaintengine_raster.cpp
index 7caaf3a8fa..90b6d16551 100644
--- a/src/gui/painting/qpaintengine_raster.cpp
+++ b/src/gui/painting/qpaintengine_raster.cpp
@@ -997,6 +997,10 @@ void QRasterPaintEnginePrivate::drawImage(const QPointF &pt,
 {
     if (alpha == 0 || !clip.isValid())
         return;
+    if (pt.x() > qreal(clip.right()) || pt.y() > qreal(clip.bottom()))
+        return;
+    if ((pt.x() + img.width()) < qreal(clip.left()) || (pt.y() + img.height()) < qreal(clip.top()))
+        return;
 
     Q_ASSERT(img.depth() >= 8);
 
@@ -1063,6 +1067,10 @@ void QRasterPaintEnginePrivate::blitImage(const QPointF &pt,
 {
     if (!clip.isValid())
         return;
+    if (pt.x() > qreal(clip.right()) || pt.y() > qreal(clip.bottom()))
+        return;
+    if ((pt.x() + img.width()) < qreal(clip.left()) || (pt.y() + img.height()) < qreal(clip.top()))
+        return;
 
     Q_ASSERT(img.depth() >= 8);
 
-- 
cgit v1.2.3