From cfa2c8edab18e810749ad7df29c0b3b4f83f7140 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Trond=20Kjern=C3=A5sen?= Date: Tue, 17 Nov 2009 15:37:25 +0100 Subject: Fixed a crash on Mac in QPixmap when loading pixmaps of different sizes. The size of the original pixmap data block wasn't retained, which would result in out-of-bound reads in the memcpy() call. Task-number: QTBUG-5070 Reviewed-by: Kim --- src/gui/image/qpixmap_mac.cpp | 7 ++++--- src/gui/image/qpixmap_mac_p.h | 1 + 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/gui/image/qpixmap_mac.cpp b/src/gui/image/qpixmap_mac.cpp index 6175931..365c271 100644 --- a/src/gui/image/qpixmap_mac.cpp +++ b/src/gui/image/qpixmap_mac.cpp @@ -160,8 +160,8 @@ QSet QMacPixmapData::validDataPointers; QMacPixmapData::QMacPixmapData(PixelType type) : QPixmapData(type, MacClass), has_alpha(0), has_mask(0), - uninit(true), pixels(0), pixelsToFree(0), bytesPerRow(0), - cg_data(0), cg_dataBeingReleased(0), cg_mask(0), + uninit(true), pixels(0), pixelsSize(0), pixelsToFree(0), + bytesPerRow(0), cg_data(0), cg_dataBeingReleased(0), cg_mask(0), pengine(0) { } @@ -637,8 +637,9 @@ void QMacPixmapData::macCreatePixels() } if (pixels) - memcpy(base_pixels, pixels, numBytes); + memcpy(base_pixels, pixels, pixelsSize); pixels = base_pixels; + pixelsSize = numBytes; } #if 0 diff --git a/src/gui/image/qpixmap_mac_p.h b/src/gui/image/qpixmap_mac_p.h index a3fb95f..45ab8e2 100644 --- a/src/gui/image/qpixmap_mac_p.h +++ b/src/gui/image/qpixmap_mac_p.h @@ -107,6 +107,7 @@ private: pixelsToFree later on instead of malloc'ing memory. */ quint32 *pixels; + uint pixelsSize; quint32 *pixelsToFree; uint bytesPerRow; QRectF cg_mask_rect; -- cgit v0.12