summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorRhys Weatherley <rhys.weatherley@nokia.com>2009-12-18 05:55:07 (GMT)
committerRhys Weatherley <rhys.weatherley@nokia.com>2009-12-18 05:58:33 (GMT)
commit4a580b972a90660dc90ef7becea5dfde2a056a4b (patch)
tree2994a1002cbb7242fa1989da0c170e9b8de2f323 /src
parent87777f7c0f4c3e338d23d2c3d368a8a484a35a6e (diff)
downloadQt-4a580b972a90660dc90ef7becea5dfde2a056a4b.zip
Qt-4a580b972a90660dc90ef7becea5dfde2a056a4b.tar.gz
Qt-4a580b972a90660dc90ef7becea5dfde2a056a4b.tar.bz2
Prevent access to non-existent memory in triagulating stroker
In the triangulating stroker, the last point was being duplicated in dashed paths. But because QDataBuffer::add() takes a ref to a float rather than a float, it would resize the data buffer and then try to fetch the values out of a pointer to the original buffer memory. This change copies the values into temporary variables before resizing the array. Task-number: QTBUG-6045 Reviewed-by: Sarah Smith
Diffstat (limited to 'src')
-rw-r--r--src/opengl/gl2paintengineex/qtriangulatingstroker.cpp10
1 files changed, 8 insertions, 2 deletions
diff --git a/src/opengl/gl2paintengineex/qtriangulatingstroker.cpp b/src/opengl/gl2paintengineex/qtriangulatingstroker.cpp
index 6082f49..395b8a3 100644
--- a/src/opengl/gl2paintengineex/qtriangulatingstroker.cpp
+++ b/src/opengl/gl2paintengineex/qtriangulatingstroker.cpp
@@ -62,8 +62,14 @@ void QTriangulatingStroker::endCapOrJoinClosed(const qreal *start, const qreal *
endCap(cur);
}
int count = m_vertices.size();
- m_vertices.add(m_vertices.at(count-2));
- m_vertices.add(m_vertices.at(count-1));
+
+ // Copy the (x, y) values because QDataBuffer::add(const float& t)
+ // may resize the buffer, which will leave t pointing at the
+ // previous buffer's memory region if we don't copy first.
+ float x = m_vertices.at(count-2);
+ float y = m_vertices.at(count-1);
+ m_vertices.add(x);
+ m_vertices.add(y);
}