Avoid converting supersized QRectF to QRect

Check that the sizes are even representable when checking if clipping is necessary. Fixes oss-fuzz 23630 Pick-to: 5.15 5.12 Change-Id: I95d6873d28b0e4f47aae7666f7ee96b745dc997b Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
2020-06-23 09:50:54 +02:00 · 2020-06-23 09:50:54 +02:00 · 177c0ef204
commit 177c0ef204
parent d13b6bd496
1 changed files with 8 additions and 3 deletions
--- a/src/gui/painting/qpaintengine_raster.cpp
+++ b/src/gui/painting/qpaintengine_raster.cpp
@ -1782,9 +1782,9 @@ void QRasterPaintEngine::fill(const QVectorPath &path, const QBrush &brush)

    // ### Optimize for non transformed ellipses and rectangles...
    QRectF cpRect = path.controlPointRect();
-    const QRect pathDeviceRect = s->matrix.mapRect(cpRect).toRect();
+    const QRectF pathDeviceRect = s->matrix.mapRect(cpRect);
    // Skip paths that by conservative estimates are completely outside the paint device.
-    if (!pathDeviceRect.intersects(d->deviceRect))
+    if (!pathDeviceRect.intersects(QRectF(d->deviceRect)))
        return;

    ProcessSpans blend = d->getBrushFunc(pathDeviceRect, &s->brushData);
@ -3043,7 +3043,12 @@ bool QRasterPaintEnginePrivate::isUnclipped(const QRect &rect,
 inline bool QRasterPaintEnginePrivate::isUnclipped(const QRectF &rect,
                                                   int penWidth) const
 {
-    return isUnclipped(rect.normalized().toAlignedRect(), penWidth);
+    const QRectF norm = rect.normalized();
+    if (norm.left() < INT_MIN || norm.top() < INT_MIN
+            || norm.right() > INT_MAX || norm.bottom() > INT_MAX
+            || norm.width() > INT_MAX || norm.height() > INT_MAX)
+        return false;
+    return isUnclipped(norm.toAlignedRect(), penWidth);
 }

 inline ProcessSpans