From d52fb58f34199e9a6e008929425cd21b92a2674a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Samuel=20R=C3=B8dal?= Date: Tue, 2 Jun 2009 10:42:21 +0200 Subject: Fixed bug in QClipData::fixup(). The bounding rect computed in fixup() is one pixel too wide, causing potential memory corruption by painting outside device boundaries. Reviewed-by: Trond --- src/gui/painting/qpaintengine_raster.cpp | 2 -- tests/auto/qpainter/tst_qpainter.cpp | 24 ++++++++++++++++++++++++ 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/src/gui/painting/qpaintengine_raster.cpp b/src/gui/painting/qpaintengine_raster.cpp index 3f85095..578a815 100644 --- a/src/gui/painting/qpaintengine_raster.cpp +++ b/src/gui/painting/qpaintengine_raster.cpp @@ -4475,14 +4475,12 @@ void QClipData::fixup() if (sl != left || sr != right) isRect = false; } - ++xmax; // qDebug("xmin=%d,xmax=%d,ymin=%d,ymax=%d %s", xmin, xmax, ymin, ymax, isRect ? "rectangular" : ""); if (isRect) { hasRectClip = true; clipRect.setRect(xmin, ymin, xmax - xmin, ymax - ymin); } - } /* diff --git a/tests/auto/qpainter/tst_qpainter.cpp b/tests/auto/qpainter/tst_qpainter.cpp index 87f9c13..af0f6cf 100644 --- a/tests/auto/qpainter/tst_qpainter.cpp +++ b/tests/auto/qpainter/tst_qpainter.cpp @@ -226,6 +226,7 @@ private slots: void extendedBlendModes(); void zeroOpacity(); + void clippingBug(); private: void fillData(); @@ -4168,5 +4169,28 @@ void tst_QPainter::zeroOpacity() QCOMPARE(target.pixel(0, 0), 0xff000000); } +void tst_QPainter::clippingBug() +{ + QImage img(32, 32, QImage::Format_ARGB32_Premultiplied); + img.fill(0); + + QImage expected = img; + QPainter p(&expected); + p.fillRect(1, 1, 30, 30, Qt::red); + p.end(); + + QPainterPath path; + path.addRect(1, 1, 30, 30); + path.addRect(1, 1, 30, 30); + path.addRect(1, 1, 30, 30); + + p.begin(&img); + p.setClipPath(path); + p.fillRect(0, 0, 32, 32, Qt::red); + p.end(); + + QCOMPARE(img, expected); +} + QTEST_MAIN(tst_QPainter) #include "tst_qpainter.moc" -- cgit v0.12