diff options
| author | Ademar de Souza Reis Jr <ademar.reis@openbossa.org> | 2011-01-21 14:19:00 (GMT) |
|---|---|---|
| committer | Marius Storm-Olsen <marius.storm-olsen@nokia.com> | 2011-01-21 15:22:11 (GMT) |
| commit | 972fcb6de69fb7ed3ae8147498ceb5d2ac79f057 (patch) | |
| tree | b6e728b3e687eb1ce5d8235f494a47618ddf7a3e /tests/auto/qpainterpath | |
| parent | 4c57b9d3f1865beb87120fc4691241c57a2bfb01 (diff) | |
| download | Qt-972fcb6de69fb7ed3ae8147498ceb5d2ac79f057.zip Qt-972fcb6de69fb7ed3ae8147498ceb5d2ac79f057.tar.gz Qt-972fcb6de69fb7ed3ae8147498ceb5d2ac79f057.tar.bz2 | |
QPainterPath: Ignore calls with NaN/Infinite parameters
QPainterPath can't handle NaNs/Inf inside coordinates, but instead of
safely ignoring or aborting an operation, it shows a warning and keeps
going on, with undefined behavior. Sometimes leading to infinite loops,
leaks or crashes (see qtwebkit example below).
This is particularly bad when QPainterPath is used to render content
from untrusted sources (web or user data). As an example, there's a
qtwebkit bug where the browser crashes when a particular SVG is loaded:
https://bugs.webkit.org/show_bug.cgi?id=51698.
Please note that "untrusted sources" doesn't apply only to network
sources. This behavior can probably be exploited on applications such as
file-browsers with previews enabled.
Task-number: QTBUG-16664
Signed-off-by: Ademar de Souza Reis Jr <ademar.reis@openbossa.org>
Merge-request: 1026
Reviewed-by: Marius Storm-Olsen <marius.storm-olsen@nokia.com>
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@nokia.com>
Diffstat (limited to 'tests/auto/qpainterpath')
| -rw-r--r-- | tests/auto/qpainterpath/tst_qpainterpath.cpp | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/tests/auto/qpainterpath/tst_qpainterpath.cpp b/tests/auto/qpainterpath/tst_qpainterpath.cpp index f60e782..fb3a4ea 100644 --- a/tests/auto/qpainterpath/tst_qpainterpath.cpp +++ b/tests/auto/qpainterpath/tst_qpainterpath.cpp @@ -103,6 +103,8 @@ private slots: void testToFillPolygons(); + void testNaNandInfinites(); + void closing(); void operators_data(); @@ -1163,6 +1165,50 @@ void tst_QPainterPath::testToFillPolygons() QCOMPARE(polygons.first().count(QPointF(70, 50)), 0); } +void tst_QPainterPath::testNaNandInfinites() +{ + QPainterPath path1; + QPainterPath path2 = path1; + + QPointF p1 = QPointF(qSNaN(), 1); + QPointF p2 = QPointF(qQNaN(), 1); + QPointF p3 = QPointF(qQNaN(), 1); + QPointF pInf = QPointF(qInf(), 1); + + // all these operations with NaN/Inf should be ignored + // can't test operator>> reliably, as we can't create a path with NaN to << later + + path1.moveTo(p1); + path1.moveTo(qSNaN(), qQNaN()); + path1.moveTo(pInf); + + path1.lineTo(p1); + path1.lineTo(qSNaN(), qQNaN()); + path1.lineTo(pInf); + + path1.cubicTo(p1, p2, p3); + path1.cubicTo(p1, QPointF(1, 1), QPointF(2, 2)); + path1.cubicTo(pInf, QPointF(10, 10), QPointF(5, 1)); + + path1.quadTo(p1, p2); + path1.quadTo(QPointF(1, 1), p3); + path1.quadTo(QPointF(1, 1), pInf); + + path1.arcTo(QRectF(p1, p2), 5, 5); + path1.arcTo(QRectF(pInf, QPointF(1, 1)), 5, 5); + + path1.addRect(QRectF(p1, p2)); + path1.addRect(QRectF(pInf, QPointF(1, 1))); + + path1.addEllipse(QRectF(p1, p2)); + path1.addEllipse(QRectF(pInf, QPointF(1, 1))); + + QCOMPARE(path1, path2); + + path1.lineTo(QPointF(1, 1)); + QVERIFY(path1 != path2); +} + void tst_QPainterPath::connectPathDuplicatePoint() { QPainterPath a; |