From ea1521a490e6e6c2830eb8e072e80c554a91a439 Mon Sep 17 00:00:00 2001 From: Samuel Rodal Date: Fri, 19 Apr 2013 17:06:14 +0100 Subject: Fixed invalid memory read in SSSE3 image blending code. We need to do bounds comparison on the actual offset we're going to use with _mm_load_si128 to read 16 bytes from memory (even though we won't use the trailing bytes in the end). Task-number: QTBUG-28324 (cherry-picked from qtbase commit 52619ae7787b3c4febb73a02afa623b12edabc97) Change-Id: I705ae191312e5ffe25e45caea71ada73ec97f68d Reviewed-by: Thiago Macieira --- src/gui/painting/qdrawhelper_ssse3.cpp | 2 +- tests/auto/qpainter/tst_qpainter.cpp | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/src/gui/painting/qdrawhelper_ssse3.cpp b/src/gui/painting/qdrawhelper_ssse3.cpp index 33d436a..0c88850 100644 --- a/src/gui/painting/qdrawhelper_ssse3.cpp +++ b/src/gui/painting/qdrawhelper_ssse3.cpp @@ -60,7 +60,7 @@ inline static void blend_pixel(quint32 &dst, const quint32 src) shift (4, 8, 12). Checking the alignment inside the loop is unfortunatelly way too slow. */ #define BLENDING_LOOP(palignrOffset, length)\ - for (; x < length-3; x += 4) { \ + for (; x-minusOffsetToAlignSrcOn16Bytes < length-7; x += 4) { \ const __m128i srcVectorLastLoaded = _mm_load_si128((__m128i *)&src[x - minusOffsetToAlignSrcOn16Bytes + 4]);\ const __m128i srcVector = _mm_alignr_epi8(srcVectorLastLoaded, srcVectorPrevLoaded, palignrOffset); \ const __m128i srcVectorAlpha = _mm_and_si128(srcVector, alphaMask); \ diff --git a/tests/auto/qpainter/tst_qpainter.cpp b/tests/auto/qpainter/tst_qpainter.cpp index e224522..f073f70 100644 --- a/tests/auto/qpainter/tst_qpainter.cpp +++ b/tests/auto/qpainter/tst_qpainter.cpp @@ -223,6 +223,7 @@ private slots: void drawImage_task217400(); void drawImage_1x1(); void drawImage_task258776(); + void drawImage_QTBUG28324(); void drawRect_task215378(); void drawRect_task247505(); @@ -3672,6 +3673,25 @@ void tst_QPainter::drawImage_task258776() QCOMPARE(dest, expected); } +void tst_QPainter::drawImage_QTBUG28324() +{ + QImage dest(512, 512, QImage::Format_ARGB32_Premultiplied); + dest.fill(0x0); + + int x = 263; int y = 89; int w = 61; int h = 39; + + QImage source(w, h, QImage::Format_ARGB32_Premultiplied); + quint32 *b = (quint32 *)source.bits(); + for (int j = 0; j < w * h; ++j) + b[j] = 0x7f7f7f7f; + + // nothing to test here since the bug is about + // an invalid memory read, which valgrind + // would complain about + QPainter p(&dest); + p.drawImage(x, y, source); +} + void tst_QPainter::clipRectSaveRestore() { QImage img(64, 64, QImage::Format_ARGB32_Premultiplied); -- cgit v0.12