QSGOpenGLDistanceFieldGlyphCache: fix UB (ordering of pointers not from the same array)

The code performed out of bounds checks by adding the size of the buffer to a pointer and comparing the result to the the one-past-the-end pointer of the buffer. This is UB, for three reasons: - in one case, a qint64 is added to a pointer, silently truncating the result on 32bit platforms - if the buffer overflow is large, the pointer value may wrap around, yielding a result that is numerically less than the end pointer, but still out-of-bounds. - pointer order is only defined within a C array, plus one past the end. On failure, pointers outside that range are compared. Fix by comparing distance(it, end) with the required size for the chunk to be written instead. Change-Id: I356bb8c8a65a93b8b1c1eb7bac381dd64bea719e Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io> Reviewed-by: Thiago Macieira <thiago.macieira@intel.com> (cherry picked from commit 8d9bd6b381bfc759d575954801b683354ad6a790) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
author: Marc Mutz <marc.mutz@kdab.com> 2019-07-16 11:31:01 +0200
committer: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> 2022-03-25 19:04:49 +0000
commit: 86b11891a034b0d14b65beb59ad8f28178a2b855 (patch)
tree: dbc2b54b98d7a20bbf1fd339db382f4060d2474b
parent: 2f301f4550daa8cf93a788f9adc56b0fec61afbe (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/src/quick/scenegraph/qsgrhidistancefieldglyphcache.cpp b/src/quick/scenegraph/qsgrhidistancefieldglyphcache.cpp
index a47b35210b..b139c3428a 100644
--- a/src/quick/scenegraph/qsgrhidistancefieldglyphcache.cpp
+++ b/src/quick/scenegraph/qsgrhidistancefieldglyphcache.cpp
@@ -449,7 +449,7 @@ bool QSGRhiDistanceFieldGlyphCache::loadPregeneratedCache(const QRawFont &font)
 
         const char *textureRecord = allocatorData;
         for (int i = 0; i < textureCount; ++i, textureRecord += Qtdf::TextureRecordSize) {
-            if (textureRecord + Qtdf::TextureRecordSize > qtdfTableEnd) {
+            if (qtdfTableEnd - textureRecord < Qtdf::TextureRecordSize) {
                 qWarning("qtdf table too small in font '%s'.",
                          qPrintable(font.familyName()));
                 return false;
@@ -465,7 +465,7 @@ bool QSGRhiDistanceFieldGlyphCache::loadPregeneratedCache(const QRawFont &font)
 
         const char *glyphRecord = textureRecord;
         for (quint32 i = 0; i < glyphCount; ++i, glyphRecord += Qtdf::GlyphRecordSize) {
-            if (glyphRecord + Qtdf::GlyphRecordSize > qtdfTableEnd) {
+            if (qtdfTableEnd - glyphRecord < Qtdf:: GlyphRecordSize) {
                 qWarning("qtdf table too small in font '%s'.",
                          qPrintable(font.familyName()));
                 return false;
@@ -516,7 +516,7 @@ bool QSGRhiDistanceFieldGlyphCache::loadPregeneratedCache(const QRawFont &font)
             int width = texInfo->allocatedArea.width();
             int height = texInfo->allocatedArea.height();
             qint64 size = qint64(width) * height;
-            if (reinterpret_cast<const char *>(textureData + size) > qtdfTableEnd) {
+            if (qtdfTableEnd - reinterpret_cast<const char *>(textureData) < size) {
                 qWarning("qtdf table too small in font '%s'.",
                          qPrintable(font.familyName()));
                 return false;
author	Marc Mutz <marc.mutz@kdab.com>	2019-07-16 11:31:01 +0200
committer	Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>	2022-03-25 19:04:49 +0000
commit	86b11891a034b0d14b65beb59ad8f28178a2b855 (patch)
tree	dbc2b54b98d7a20bbf1fd339db382f4060d2474b
parent	2f301f4550daa8cf93a788f9adc56b0fec61afbe (diff)