From dd14f5ea568ce647638993da90112e71cffc9cc9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Samuel=20R=C3=B8dal?= <samuel.rodal@nokia.com>
Date: Fri, 17 Sep 2010 19:47:56 +0200
Subject: Fixed memory corruption issue in qt_blurImage for Indexed8 images.

If transposed was set to 0 we did not check the color depth of the image
and ended up with a buffer overflow.

Reviewed-by: Jens Bache-Wiig
---
 src/gui/image/qpixmapfilter.cpp                | 15 +++++++++++----
 tests/auto/qpixmapfilter/tst_qpixmapfilter.cpp | 20 ++++++++++++++++++++
 2 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/src/gui/image/qpixmapfilter.cpp b/src/gui/image/qpixmapfilter.cpp
index 70770c4..26bffcc 100644
--- a/src/gui/image/qpixmapfilter.cpp
+++ b/src/gui/image/qpixmapfilter.cpp
@@ -764,10 +764,17 @@ void expblur(QImage &img, qreal radius, bool improvedQuality = false, int transp
     }
 
     if (transposed == 0) {
-        qt_memrotate90(reinterpret_cast<const quint32*>(temp.bits()),
-                       temp.width(), temp.height(), temp.bytesPerLine(),
-                       reinterpret_cast<quint32*>(img.bits()),
-                       img.bytesPerLine());
+        if (img.depth() == 8) {
+            qt_memrotate90(reinterpret_cast<const quint8*>(temp.bits()),
+                           temp.width(), temp.height(), temp.bytesPerLine(),
+                           reinterpret_cast<quint8*>(img.bits()),
+                           img.bytesPerLine());
+        } else {
+            qt_memrotate90(reinterpret_cast<const quint32*>(temp.bits()),
+                           temp.width(), temp.height(), temp.bytesPerLine(),
+                           reinterpret_cast<quint32*>(img.bits()),
+                           img.bytesPerLine());
+        }
     } else {
         img = temp;
     }
diff --git a/tests/auto/qpixmapfilter/tst_qpixmapfilter.cpp b/tests/auto/qpixmapfilter/tst_qpixmapfilter.cpp
index f0f087d..1f51d51 100644
--- a/tests/auto/qpixmapfilter/tst_qpixmapfilter.cpp
+++ b/tests/auto/qpixmapfilter/tst_qpixmapfilter.cpp
@@ -72,6 +72,7 @@ private slots:
     void convolutionBoundingRectFor();
     void convolutionDrawSubRect();
     void dropShadowBoundingRectFor();
+    void blurIndexed8();
 
     void testDefaultImplementations();
 };
@@ -423,6 +424,25 @@ void tst_QPixmapFilter::dropShadowBoundingRectFor()
     QCOMPARE(filter.boundingRectFor(rect3), rect3.adjusted(-delta - 10, -delta - 10, 0, 0));
 }
 
+void qt_blurImage(QImage &blurImage, qreal radius, bool quality, int transposed);
+
+void tst_QPixmapFilter::blurIndexed8()
+{
+    QImage img(16, 32, QImage::Format_Indexed8);
+    img.setColorCount(256);
+    for (int i = 0; i < 256; ++i)
+        img.setColor(i, qRgb(i, i, i));
+
+    img.fill(255);
+
+    QImage original = img;
+    qt_blurImage(img, 10, true, false);
+    QCOMPARE(original.size(), img.size());
+
+    original = img;
+    qt_blurImage(img, 10, true, true);
+    QCOMPARE(original.size(), QSize(img.height(), img.width()));
+}
 
 QTEST_MAIN(tst_QPixmapFilter)
 #include "tst_qpixmapfilter.moc"
-- 
cgit v0.12