diff options
author | Rhys Weatherley <rhys.weatherley@nokia.com> | 2009-12-18 05:55:07 (GMT) |
---|---|---|
committer | Rhys Weatherley <rhys.weatherley@nokia.com> | 2009-12-18 05:58:33 (GMT) |
commit | 4a580b972a90660dc90ef7becea5dfde2a056a4b (patch) | |
tree | 2994a1002cbb7242fa1989da0c170e9b8de2f323 /src | |
parent | 87777f7c0f4c3e338d23d2c3d368a8a484a35a6e (diff) | |
download | Qt-4a580b972a90660dc90ef7becea5dfde2a056a4b.zip Qt-4a580b972a90660dc90ef7becea5dfde2a056a4b.tar.gz Qt-4a580b972a90660dc90ef7becea5dfde2a056a4b.tar.bz2 |
Prevent access to non-existent memory in triagulating stroker
In the triangulating stroker, the last point was being duplicated in
dashed paths. But because QDataBuffer::add() takes a ref to a float
rather than a float, it would resize the data buffer and then try to
fetch the values out of a pointer to the original buffer memory.
This change copies the values into temporary variables before
resizing the array.
Task-number: QTBUG-6045
Reviewed-by: Sarah Smith
Diffstat (limited to 'src')
-rw-r--r-- | src/opengl/gl2paintengineex/qtriangulatingstroker.cpp | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/src/opengl/gl2paintengineex/qtriangulatingstroker.cpp b/src/opengl/gl2paintengineex/qtriangulatingstroker.cpp index 6082f49..395b8a3 100644 --- a/src/opengl/gl2paintengineex/qtriangulatingstroker.cpp +++ b/src/opengl/gl2paintengineex/qtriangulatingstroker.cpp @@ -62,8 +62,14 @@ void QTriangulatingStroker::endCapOrJoinClosed(const qreal *start, const qreal * endCap(cur); } int count = m_vertices.size(); - m_vertices.add(m_vertices.at(count-2)); - m_vertices.add(m_vertices.at(count-1)); + + // Copy the (x, y) values because QDataBuffer::add(const float& t) + // may resize the buffer, which will leave t pointing at the + // previous buffer's memory region if we don't copy first. + float x = m_vertices.at(count-2); + float y = m_vertices.at(count-1); + m_vertices.add(x); + m_vertices.add(y); } |