Fixed a crash on Mac in QPixmap when loading pixmaps of different sizes.

The size of the original pixmap data block wasn't retained, which would
result in out-of-bound reads in the memcpy() call.

Task-number: QTBUG-5070
Reviewed-by: Kim

2 files changed, 5 insertions, 3 deletions

diff --git a/src/gui/image/qpixmap_mac.cpp b/src/gui/image/qpixmap_mac.cpp
index 6175931..365c271 100644
--- a/src/gui/image/qpixmap_mac.cpp
+++ b/src/gui/image/qpixmap_mac.cpp
@@ -160,8 +160,8 @@ QSet<QMacPixmapData*> QMacPixmapData::validDataPointers;
 
 QMacPixmapData::QMacPixmapData(PixelType type)
     : QPixmapData(type, MacClass), has_alpha(0), has_mask(0),
-      uninit(true), pixels(0), pixelsToFree(0), bytesPerRow(0),
-      cg_data(0), cg_dataBeingReleased(0), cg_mask(0),
+      uninit(true), pixels(0), pixelsSize(0), pixelsToFree(0),
+      bytesPerRow(0), cg_data(0), cg_dataBeingReleased(0), cg_mask(0),
       pengine(0)
 {
 }
@@ -637,8 +637,9 @@ void QMacPixmapData::macCreatePixels()
     }
 
     if (pixels)
-        memcpy(base_pixels, pixels, numBytes);
+        memcpy(base_pixels, pixels, pixelsSize);
     pixels = base_pixels;
+    pixelsSize = numBytes;
 }
 
 #if 0
diff --git a/src/gui/image/qpixmap_mac_p.h b/src/gui/image/qpixmap_mac_p.h
index a3fb95f..45ab8e2 100644
--- a/src/gui/image/qpixmap_mac_p.h
+++ b/src/gui/image/qpixmap_mac_p.h
@@ -107,6 +107,7 @@ private:
            pixelsToFree later on instead of malloc'ing memory.
     */
     quint32 *pixels;
+    uint pixelsSize;
     quint32 *pixelsToFree;
     uint bytesPerRow;
     QRectF cg_mask_rect;