AuroraMiddleware/qt5base-lts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Prevent array-out-of-bounds access

Browse Source 
Fixes static analyzer warning 12b19393e18b2394a398806f633c6eee, and
amends a1a6e3d21b.

In the process, replace the "int& *= double" with correct integer
arithmetic that'll produce the intended result without going via
double.

Done-with: Edward Welbourne <edward.welbourne@qt.io>
Pick-to: 6.2
Task-number: QTBUG-8096
Change-Id: Ib2aa8ae46a1bfd4d121e61cf99141c0311502215
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
This commit is contained in:
Volker Hilsheimer 2021-07-21 10:15:09 +02:00
parent 6ebe3d0f08
commit 1ee9496679
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/gui/text/qcssparser.cpp
View File

@ -1601,13 +1601,17 @@ QSize Declaration::sizeValue() const
int x[2] = { 0, 0 };
const int count = d->values.count();
for (int i = 0; i < count; ++i) {
if (i > 1) {
qWarning("QCssParser::sizeValue: Too many values provided");
break;
}
const auto &value = d->values.at(i);
const QString valueString = value.variant.toString();
if (valueString.endsWith(u"pt", Qt::CaseInsensitive)) {
intValueHelper(value, &x[i], "pt");
// according to https://www.w3.org/TR/css3-values/#absolute-lengths
// 1pt = 1/72th of 1 inch, and 1px = 1/96th of 1 inch
x[i] *= 72.0/96.0;
x[i] = (x[i] * 72) / 96;
} else {
// by default we use 'px'
intValueHelper(value, &x[i], "px");