From 711773776ed324efce7f1ed227104da9c7e21e05 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Samuel=20R=C3=B8dal?= Date: Mon, 25 Feb 2013 09:58:34 +0100 Subject: [PATCH] Fixed potential access violation in QPixmap::copy() for <32 bit pixmaps. QImage is supposed to maintain the invariant that each scan-line begins on a 4-byte boundary, so we need to verify that this is the case before using the optimized path of short-cutting QImage::copy() by referencing the source image's bits directly. Task-number: QTBUG-14766 Change-Id: I0a178aeb2f34cc64f98deae9470b55b5c53fcb06 Reviewed-by: Gunnar Sletta --- src/gui/image/qpixmap_raster.cpp | 5 +++-- tests/auto/gui/image/qpixmap/tst_qpixmap.cpp | 10 ++++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/src/gui/image/qpixmap_raster.cpp b/src/gui/image/qpixmap_raster.cpp index f0cb69f3ec..f8fef9cada 100644 --- a/src/gui/image/qpixmap_raster.cpp +++ b/src/gui/image/qpixmap_raster.cpp @@ -239,8 +239,9 @@ QImage QRasterPlatformPixmap::toImage(const QRect &rect) const return image; QRect clipped = rect.intersected(QRect(0, 0, w, h)); - if (d % 8 == 0) - return QImage(image.scanLine(clipped.y()) + clipped.x() * (d / 8), + const uint du = uint(d); + if ((du % 8 == 0) && (((uint(clipped.x()) * du)) % 32 == 0)) + return QImage(image.scanLine(clipped.y()) + clipped.x() * (du / 8), clipped.width(), clipped.height(), image.bytesPerLine(), image.format()); else diff --git a/tests/auto/gui/image/qpixmap/tst_qpixmap.cpp b/tests/auto/gui/image/qpixmap/tst_qpixmap.cpp index f5298a1690..61f53a5073 100644 --- a/tests/auto/gui/image/qpixmap/tst_qpixmap.cpp +++ b/tests/auto/gui/image/qpixmap/tst_qpixmap.cpp @@ -167,6 +167,8 @@ private slots: void scaled_QTBUG19157(); void detachOnLoad_QTBUG29639(); + + void copyOnNonAlignedBoundary(); }; static bool lenientCompare(const QPixmap &actual, const QPixmap &expected) @@ -1503,5 +1505,13 @@ void tst_QPixmap::detachOnLoad_QTBUG29639() QVERIFY(a.toImage() != b.toImage()); } +void tst_QPixmap::copyOnNonAlignedBoundary() +{ + QImage img(8, 2, QImage::Format_RGB16); + + QPixmap pm1 = QPixmap::fromImage(img, Qt::NoFormatConversion); + QPixmap pm2 = pm1.copy(QRect(5, 0, 3, 2)); // When copying second line: 2 bytes too many are read which might cause an access violation. +} + QTEST_MAIN(tst_QPixmap) #include "tst_qpixmap.moc"