diff options
| author | Marc Mutz <marc.mutz@kdab.com> | 2019-07-16 11:31:01 +0200 |
|---|---|---|
| committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2022-03-19 11:25:27 +0000 |
| commit | a5635345175e667601c8b6a344508c4d4ebb0f9d (patch) | |
| tree | 9688b3052eb5d022793bd512a17a554e0332669e /src/quick/scenegraph/shaders_ng/textmask.frag.qsb | |
| parent | ed41fb59cad2fabc9b9382c703d16cec8f904acd (diff) | |
QSGOpenGLDistanceFieldGlyphCache: fix UB (ordering of pointers not from the same array)
The code performed out of bounds checks by adding the size of the
buffer to a pointer and comparing the result to the the
one-past-the-end pointer of the buffer.
This is UB, for three reasons:
- in one case, a qint64 is added to a pointer, silently truncating the
result on 32bit platforms
- if the buffer overflow is large, the pointer value may wrap around,
yielding a result that is numerically less than the end pointer, but
still out-of-bounds.
- pointer order is only defined within a C array, plus one past the
end. On failure, pointers outside that range are compared.
Fix by comparing distance(it, end) with the required size for the
chunk to be written instead.
Change-Id: I356bb8c8a65a93b8b1c1eb7bac381dd64bea719e
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
(cherry picked from commit 8d9bd6b381bfc759d575954801b683354ad6a790)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
Diffstat (limited to 'src/quick/scenegraph/shaders_ng/textmask.frag.qsb')
0 files changed, 0 insertions, 0 deletions