From 440888de851daad78d89f2958aa95e9193832fb5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Topi=20Reini=C3=B6?= <topi.reinio@nokia.com>
Date: Thu, 4 Nov 2010 14:20:02 +0100
Subject: Prevent access to non-existent memory in QGL2PEXVertexArray

QGL2PEXVertexArray::addClosingLine() uses using QDataBuffer::add() to
add a QPointF at the end, with a const reference to another value in
the same array. As add() resizes and possibly relocates the buffer, an
already-released memory location may be accessed.

This change copies the value into a temporary variable before resizing
the array.

Task-number: QTBUG-14944
Reviewed-by: Samuel
---
 src/opengl/gl2paintengineex/qgl2pexvertexarray.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/opengl/gl2paintengineex/qgl2pexvertexarray.cpp b/src/opengl/gl2paintengineex/qgl2pexvertexarray.cpp
index 559a6fd..167a7d2 100644
--- a/src/opengl/gl2paintengineex/qgl2pexvertexarray.cpp
+++ b/src/opengl/gl2paintengineex/qgl2pexvertexarray.cpp
@@ -63,8 +63,9 @@ QGLRect QGL2PEXVertexArray::boundingRect() const
 
 void QGL2PEXVertexArray::addClosingLine(int index)
 {
-    if (QPointF(vertexArray.at(index)) != QPointF(vertexArray.last()))
-        vertexArray.add(vertexArray.at(index));
+    QPointF point(vertexArray.at(index));
+    if (point != QPointF(vertexArray.last()))
+        vertexArray.add(point);
 }
 
 void QGL2PEXVertexArray::addCentroid(const QVectorPath &path, int subPathIndex)
-- 
cgit v0.12