AuroraMiddleware/qt5base-lts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixed invalid memory read in SSSE3 image blending code.

Browse Source 
We need to do bounds comparison on the actual offset we're going to use
with _mm_load_si128 to read 16 bytes from memory (even though we won't
use the trailing bytes in the end).

Task-number: QTBUG-28324
Change-Id: Id0d6094da796ca67338d8ad225fa6b2f309bbe6e
Reviewed-by: Olivier Goffart <ogoffart@woboq.com>
This commit is contained in:
Samuel Rødal 2012-12-14 10:52:47 +01:00 committed by The Qt Project
parent 7ca226c951
commit 52619ae778
2 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/gui/painting/qdrawhelper_ssse3.cpp
View File

@ -60,7 +60,7 @@ inline static void blend_pixel(quint32 &dst, const quint32 src)
shift (4, 8, 12). Checking the alignment inside the loop is unfortunatelly way too slow.
*/
#define BLENDING_LOOP(palignrOffset, length)\
for (; x < length-3; x += 4) { \
for (; x-minusOffsetToAlignSrcOn16Bytes < length-7; x += 4) { \
const __m128i srcVectorLastLoaded = _mm_load_si128((__m128i *)&src[x - minusOffsetToAlignSrcOn16Bytes + 4]);\
const __m128i srcVector = _mm_alignr_epi8(srcVectorLastLoaded, srcVectorPrevLoaded, palignrOffset); \
const __m128i srcVectorAlpha = _mm_and_si128(srcVector, alphaMask); \

20
tests/auto/gui/painting/qpainter/tst_qpainter.cpp
View File

@ -229,6 +229,7 @@ private slots:
void drawImage_task217400();
void drawImage_1x1();
void drawImage_task258776();
void drawImage_QTBUG28324();
void drawRect_task215378();
void drawRect_task247505();
@ -3233,6 +3234,25 @@ void tst_QPainter::drawImage_task258776()
QCOMPARE(dest, expected);
}
void tst_QPainter::drawImage_QTBUG28324()
{
QImage dest(512, 512, QImage::Format_ARGB32_Premultiplied);
dest.fill(0x0);
int x = 263; int y = 89; int w = 61; int h = 39;
QImage source(w, h, QImage::Format_ARGB32_Premultiplied);
quint32 *b = (quint32 *)source.bits();
for (int j = 0; j < w * h; ++j)
b[j] = 0x7f7f7f7f;
// nothing to test here since the bug is about
// an invalid memory read, which valgrind
// would complain about
QPainter p(&dest);
p.drawImage(x, y, source);
}
void tst_QPainter::clipRectSaveRestore()
{
QImage img(64, 64, QImage::Format_ARGB32_Premultiplied);