--- //depot/qt/4.1.5/src/gui/image/qimage.cpp Thu Oct 19 17:01:50 CEST 2006 +++ //depot/qt/4.1.5/src/gui/image/qimage.cpp Thu Oct 19 17:01:50 CEST 2006 @@ -180,12 +180,12 @@ QImageData * QImageData::create(const QSize &size, QImage::Format format, int numColors) { - int width = size.width(); - int height = size.height(); + uint width = size.width(); + uint height = size.height(); if (width <= 0 || height <= 0 || numColors < 0 || format == QImage::Format_Invalid) return 0; // invalid parameter(s) - int depth = 0; + uint depth = 0; switch(format) { case QImage::NImageFormats: case QImage::Format_Invalid: @@ -214,6 +214,15 @@ #endif } + const int bytes_per_line = ((width * depth + 31) >> 5) << 2; // bytes per scanline (must be multiple of 8) + + // sanity check for potential overflows + if (INT_MAX/depth < width + || bytes_per_line <= 0 + || INT_MAX/uint(bytes_per_line) < height + || INT_MAX/sizeof(uchar *) < uint(height)) + return 0; + QImageData *d = new QImageData; d->colortable.resize(numColors); if (depth == 1) { @@ -230,7 +239,7 @@ d->format = format; d->has_alpha_clut = false; - d->bytes_per_line = ((width * d->depth + 31) >> 5) << 2; // bytes per scanline (must be multiple of 8) + d->bytes_per_line = bytes_per_line; d->nbytes = d->bytes_per_line*height; d->data = (uchar *)malloc(d->nbytes); @@ -753,7 +762,13 @@ : QPaintDevice() { d = 0; - if (format == Format_Invalid || width <= 0 || height <= 0 || !data) + const int depth = depthForFormat(format); + const int bytes_per_line = ((width * d->depth + 31)/32) * 4; + if (format == Format_Invalid || width <= 0 || height <= 0 || !data + || INT_MAX/sizeof(uchar *) < uint(height) + || INT_MAX/uint(depth) < uint(width) + || bytes_per_line <= 0 + || INT_MAX/uint(bytes_per_line) < uint(height)) return; // invalid parameter(s) d = new QImageData; d->ref.ref(); @@ -762,10 +777,10 @@ d->data = data; d->width = width; d->height = height; - d->depth = depthForFormat(format); + d->depth = depth; d->format = format; - d->bytes_per_line = ((width * d->depth + 31)/32) * 4; + d->bytes_per_line = bytes_per_line; d->nbytes = d->bytes_per_line * height; } @@ -987,7 +1002,13 @@ Format f = formatFor(depth, bitOrder); if (f == Format_Invalid) return; - if (w <= 0 || h <= 0 || numColors < 0 || !data) + + const int bytes_per_line = ((w*depth+31)/32)*4; // bytes per scanline + if (w <= 0 || h <= 0 || numColors < 0 || !data + || INT_MAX/sizeof(uchar *) < uint(h) + || INT_MAX/uint(depth) < uint(w) + || bytes_per_line <= 0 + || INT_MAX/uint(bytes_per_line) < uint(h)) return; // invalid parameter(s) d = new QImageData; d->ref.ref(); @@ -1001,7 +1022,7 @@ if (depth == 32) numColors = 0; - d->bytes_per_line = ((w*depth+31)/32)*4; // bytes per scanline + d->bytes_per_line = bytes_per_line; d->nbytes = d->bytes_per_line * h; if (colortable) { d->colortable.resize(numColors); @@ -1035,7 +1056,11 @@ Format f = formatFor(depth, bitOrder); if (f == Format_Invalid) return; - if (!data || w <= 0 || h <= 0 || depth <= 0 || numColors < 0) + if (!data || w <= 0 || h <= 0 || depth <= 0 || numColors < 0 + || INT_MAX/sizeof(uchar *) < uint(h) + || INT_MAX/uint(depth) < uint(w) + || bpl <= 0 + || INT_MAX/uint(bpl) < uint(h)) return; // invalid parameter(s) d = new QImageData; --- //depot/qt/4.1.5/src/gui/image/qpixmap_x11.cpp Thu Oct 19 17:01:50 CEST 2006 +++ //depot/qt/4.1.5/src/gui/image/qpixmap_x11.cpp Thu Oct 19 17:01:50 CEST 2006 @@ -978,6 +978,9 @@ const int dd = X11->use_xrender && img.hasAlphaChannel() ? 32 : pixmap.data->xinfo.depth(); bool force_mono = (dd == 1 || (flags & Qt::ColorMode_Mask) == Qt::MonoOnly); + if (uint(w) >= 32768 || uint(h) >= 32768) + return QPixmap(); + // must be monochrome if (force_mono) { if (d != 1) { @@ -1787,11 +1790,11 @@ QPixmap QPixmap::transformed(const QMatrix &matrix, Qt::TransformationMode mode) const { - int w = 0; - int h = 0; // size of target pixmap - int ws, hs; // size of source pixmap + uint w = 0; + uint h = 0; // size of target pixmap + uint ws, hs; // size of source pixmap uchar *dptr; // data in target pixmap - int dbpl, dbytes; // bytes per line/bytes total + uint dbpl, dbytes; // bytes per line/bytes total uchar *sptr; // data in original pixmap int sbpl; // bytes per line in original int bpp; // bits per pixel @@ -1806,20 +1809,24 @@ QMatrix mat(matrix.m11(), matrix.m12(), matrix.m21(), matrix.m22(), 0., 0.); bool complex_xform = false; + qreal scaledWidth; + qreal scaledHeight; if (mat.m12() == 0.0F && mat.m21() == 0.0F) { if (mat.m11() == 1.0F && mat.m22() == 1.0F) // identity matrix return *this; - h = int(qAbs(mat.m22()) * hs + 0.9999); - w = int(qAbs(mat.m11()) * ws + 0.9999); - h = qAbs(h); - w = qAbs(w); + scaledHeight = qAbs(mat.m22()) * hs + 0.9999; + scaledWidth = qAbs(mat.m11()) * ws + 0.9999; + h = qAbs(int(h)); + w = qAbs(int(w)); } else { // rotation or shearing QPolygonF a(QRectF(0, 0, ws+1, hs+1)); a = mat.map(a); QRectF r = a.boundingRect().normalized(); w = int(r.width() + 0.9999); h = int(r.height() + 0.9999); + scaledWidth = w; + scaledHeight = h; complex_xform = true; } mat = trueMatrix(mat, ws, hs); // true matrix @@ -1828,7 +1835,8 @@ bool invertible; mat = mat.inverted(&invertible); // invert matrix - if (h == 0 || w == 0 || !invertible) + if (h == 0 || w == 0 || !invertible + || qAbs(scaledWidth) >= 32768 || qAbs(scaledHeight) >= 32768 ) // error, return null pixmap return QPixmap(); if (mode == Qt::SmoothTransformation) {