From 9fbce8d5cbcc9d8d255328d6ec040db0510ca289 Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Mon, 10 Dec 2018 11:06:26 +0100
Subject: [PATCH] Avoid crash in blitting or fast draw when QPointF is too big

Change-Id: I88182d5d95fda15d33836f16dee78167685b3765
Fixes: QTBUG-72392
Reviewed-by: Friedemann Kleint <Friedemann.Kleint@qt.io>
Reviewed-by: Tim Jenssen <tim.jenssen@qt.io>
---
 src/gui/painting/qpaintengine_raster.cpp         |  8 ++++++++
 .../auto/gui/painting/qpainter/tst_qpainter.cpp  | 16 ++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/src/gui/painting/qpaintengine_raster.cpp b/src/gui/painting/qpaintengine_raster.cpp
index 7caaf3a8fa..90b6d16551 100644
--- a/src/gui/painting/qpaintengine_raster.cpp
+++ b/src/gui/painting/qpaintengine_raster.cpp
@@ -997,6 +997,10 @@ void QRasterPaintEnginePrivate::drawImage(const QPointF &pt,
 {
     if (alpha == 0 || !clip.isValid())
         return;
+    if (pt.x() > qreal(clip.right()) || pt.y() > qreal(clip.bottom()))
+        return;
+    if ((pt.x() + img.width()) < qreal(clip.left()) || (pt.y() + img.height()) < qreal(clip.top()))
+        return;
 
     Q_ASSERT(img.depth() >= 8);
 
@@ -1063,6 +1067,10 @@ void QRasterPaintEnginePrivate::blitImage(const QPointF &pt,
 {
     if (!clip.isValid())
         return;
+    if (pt.x() > qreal(clip.right()) || pt.y() > qreal(clip.bottom()))
+        return;
+    if ((pt.x() + img.width()) < qreal(clip.left()) || (pt.y() + img.height()) < qreal(clip.top()))
+        return;
 
     Q_ASSERT(img.depth() >= 8);
 
diff --git a/tests/auto/gui/painting/qpainter/tst_qpainter.cpp b/tests/auto/gui/painting/qpainter/tst_qpainter.cpp
index 9bf9e99bf9..bc0baed15c 100644
--- a/tests/auto/gui/painting/qpainter/tst_qpainter.cpp
+++ b/tests/auto/gui/painting/qpainter/tst_qpainter.cpp
@@ -299,6 +299,8 @@ private slots:
 
     void fillPolygon();
 
+    void drawImageAtPointF();
+
 private:
     void fillData();
     void setPenColor(QPainter& p);
@@ -5292,6 +5294,20 @@ void tst_QPainter::fillPolygon()
     }
 }
 
+void tst_QPainter::drawImageAtPointF()
+{
+    // Just test we do not crash
+    QImage image1(10, 10, QImage::Format_RGB32);
+    QImage image2(200, 200, QImage::Format_RGB32);
+
+    QPainter paint(&image2);
+    paint.setClipRect(97, 46, 14, 14);
+    paint.setCompositionMode(QPainter::CompositionMode_Source);
+    paint.drawImage(QPointF(96, std::numeric_limits<int>::max()), image1);
+    paint.drawImage(QPointF(std::numeric_limits<int>::min(), 48), image1);
+    paint.end();
+}
+
 QTEST_MAIN(tst_QPainter)
 
 #include "tst_qpainter.moc"