From f0a51eef5696782ec325b20f14cfe353d0a58d20 Mon Sep 17 00:00:00 2001
From: Fabian Kosmale <fabian.kosmale@qt.io>
Date: Fri, 5 Feb 2021 21:30:56 +0100
Subject: QSGBatchRender: avoid crash if buffer shrinks

The QRhiBuffer does not shrink; thus we can end up with
buffer->buf->size > buffer->size. This would subsequently lead to an
out-of-bounds memory access, and a crash. Fix this by using the
uploadStaticBuffer overload which takes the size.
As a drive-by, remove pointless QByteArray::fromRawData call.

Pick-to: 6.0 6.1
Change-Id: I40058ada6a6a5eb745ae559e8c9ed474fd41f75c
Reviewed-by: Laszlo Agocs <laszlo.agocs@qt.io>
---
 src/quick/scenegraph/coreapi/qsgbatchrenderer.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/quick/scenegraph/coreapi/qsgbatchrenderer.cpp b/src/quick/scenegraph/coreapi/qsgbatchrenderer.cpp
index aa46b5a509..2272956121 100644
--- a/src/quick/scenegraph/coreapi/qsgbatchrenderer.cpp
+++ b/src/quick/scenegraph/coreapi/qsgbatchrenderer.cpp
@@ -1073,11 +1073,11 @@ void Renderer::unmap(Buffer *buffer, bool isIndexBuf)
     }
     if (buffer->buf->type() != QRhiBuffer::Dynamic) {
         m_resourceUpdates->uploadStaticBuffer(buffer->buf,
-                                              QByteArray::fromRawData(buffer->data, buffer->size));
+                                             0, buffer->size, buffer->data);
         buffer->nonDynamicChangeCount += 1;
     } else {
         m_resourceUpdates->updateDynamicBuffer(buffer->buf, 0, buffer->size,
-                                               QByteArray::fromRawData(buffer->data, buffer->size));
+                                               buffer->data);
     }
     if (m_visualizer->mode() == Visualizer::VisualizeNothing)
         buffer->data = nullptr;
-- 
cgit v1.2.3