From 4a580b972a90660dc90ef7becea5dfde2a056a4b Mon Sep 17 00:00:00 2001
From: Rhys Weatherley <rhys.weatherley@nokia.com>
Date: Fri, 18 Dec 2009 15:55:07 +1000
Subject: Prevent access to non-existent memory in triagulating stroker

In the triangulating stroker, the last point was being duplicated in
dashed paths.  But because QDataBuffer::add() takes a ref to a float
rather than a float, it would resize the data buffer and then try to
fetch the values out of a pointer to the original buffer memory.

This change copies the values into temporary variables before
resizing the array.

Task-number: QTBUG-6045
Reviewed-by: Sarah Smith
---
 src/opengl/gl2paintengineex/qtriangulatingstroker.cpp | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/opengl/gl2paintengineex/qtriangulatingstroker.cpp b/src/opengl/gl2paintengineex/qtriangulatingstroker.cpp
index 6082f49..395b8a3 100644
--- a/src/opengl/gl2paintengineex/qtriangulatingstroker.cpp
+++ b/src/opengl/gl2paintengineex/qtriangulatingstroker.cpp
@@ -62,8 +62,14 @@ void QTriangulatingStroker::endCapOrJoinClosed(const qreal *start, const qreal *
         endCap(cur);
     }
     int count = m_vertices.size();
-    m_vertices.add(m_vertices.at(count-2));
-    m_vertices.add(m_vertices.at(count-1));
+
+    // Copy the (x, y) values because QDataBuffer::add(const float& t)
+    // may resize the buffer, which will leave t pointing at the
+    // previous buffer's memory region if we don't copy first.
+    float x = m_vertices.at(count-2);
+    float y = m_vertices.at(count-1);
+    m_vertices.add(x);
+    m_vertices.add(y);
 }
 
 
-- 
cgit v0.12