diff options
| author | Samuel Rødal <samuel.rodal@digia.com> | 2013-02-25 08:58:34 (GMT) |
|---|---|---|
| committer | The Qt Project <gerrit-noreply@qt-project.org> | 2013-04-22 05:46:42 (GMT) |
| commit | 3e4c589d2f067482e5c46180b48bc7a94a96c4e6 (patch) | |
| tree | fe4087c696fdd3a16d6616227d5d02181ce85e12 | |
| parent | b82b8bfa811adcf11cb8d07d662fd2b9642deebc (diff) | |
| download | Qt-3e4c589d2f067482e5c46180b48bc7a94a96c4e6.zip Qt-3e4c589d2f067482e5c46180b48bc7a94a96c4e6.tar.gz Qt-3e4c589d2f067482e5c46180b48bc7a94a96c4e6.tar.bz2 | |
Fixed potential access violation in QPixmap::copy() for <32 bit pixmaps.
QImage is supposed to maintain the invariant that each scan-line begins
on a 4-byte boundary, so we need to verify that this is the case before
using the optimized path of short-cutting QImage::copy() by referencing
the source image's bits directly.
Task-number: QTBUG-14766
Change-Id: I0a178aeb2f34cc64f98deae9470b55b5c53fcb06
Reviewed-by: Gunnar Sletta <gunnar.sletta@digia.com>
(cherry picked from commit 711773776ed324efce7f1ed227104da9c7e21e05)
Reviewed-by: aavit <eirik.aavitsland@digia.com>
| -rw-r--r-- | src/gui/image/qpixmap_raster.cpp | 5 | ||||
| -rw-r--r-- | tests/auto/qpixmap/tst_qpixmap.cpp | 10 |
2 files changed, 13 insertions, 2 deletions
diff --git a/src/gui/image/qpixmap_raster.cpp b/src/gui/image/qpixmap_raster.cpp index 8dedfba..8ee982c 100644 --- a/src/gui/image/qpixmap_raster.cpp +++ b/src/gui/image/qpixmap_raster.cpp @@ -330,8 +330,9 @@ QImage QRasterPixmapData::toImage(const QRect &rect) const return image; QRect clipped = rect.intersected(QRect(0, 0, w, h)); - if (d % 8 == 0) - return QImage(image.scanLine(clipped.y()) + clipped.x() * (d / 8), + const uint du = uint(d); + if ((du % 8 == 0) && (((uint(clipped.x()) * du)) % 32 == 0)) + return QImage(image.scanLine(clipped.y()) + clipped.x() * (du / 8), clipped.width(), clipped.height(), image.bytesPerLine(), image.format()); else diff --git a/tests/auto/qpixmap/tst_qpixmap.cpp b/tests/auto/qpixmap/tst_qpixmap.cpp index d22cc86..9fb5f41 100644 --- a/tests/auto/qpixmap/tst_qpixmap.cpp +++ b/tests/auto/qpixmap/tst_qpixmap.cpp @@ -199,6 +199,8 @@ private slots: void drawPixmapWhilePainterOpen(); void scaled_QTBUG19157(); + + void copyOnNonAlignedBoundary(); }; static bool lenientCompare(const QPixmap &actual, const QPixmap &expected) @@ -1966,5 +1968,13 @@ void tst_QPixmap::scaled_QTBUG19157() QVERIFY(!foo.isNull()); } +void tst_QPixmap::copyOnNonAlignedBoundary() +{ + QImage img(8, 2, QImage::Format_RGB16); + + QPixmap pm1 = QPixmap::fromImage(img, Qt::NoFormatConversion); + QPixmap pm2 = pm1.copy(QRect(5, 0, 3, 2)); // When copying second line: 2 bytes too many are read which might cause an access violation. +} + QTEST_MAIN(tst_QPixmap) #include "tst_qpixmap.moc" |