Details
-
Bug
-
Resolution: Done
-
P1: Critical
-
5.5.1
-
None
-
Windows, Qt5.5 32bit.
-
3c68f26c052b06da9b43bb775cbe5a539fccb0c3
Description
Had crash reports from clients with the following trace:
> qjp2.dll!Jpeg2000JasperReader::newRGBAImage(const int width=1440, const int height=2560, bool alpha=false) Line 1044 C++
qjp2.dll!Jpeg2000JasperReader::write(const QImage & image={...}, int quality=-1) Line 780 C++
qjp2.dll!QJp2Handler::write(const QImage & image={...}) Line 250 C++
qwindows.dll!QWindowsOleDataObject::GetData(tagFORMATETC * pformatetc=0x005bf184, tagSTGMEDIUM * pmedium=0x005bf160) Line 144 C++
ole32.dll!HandleFromHandle(IDataObject * pDataObj, tagFORMATETC * pformatetc=0x005bf184, tagSTGMEDIUM * pmedium=0x005bf1c4) Line 2130 C++
ole32.dll!RenderCurrentFormat(HWND__ * hClipWnd, unsigned int cf=50201, tagSTGMEDIUM * pmedium=0x005bf1c4, IDataObject * pDataObj=0x104b60d8) Line 4002 C++
ole32.dll!RenderFormat(HWND__ * hClipWnd=0x0011153e, unsigned int cf=50201, IDataObject * pDataObj=0x104b60d8, void * pvMTADataObject=0x00000000) Line 4135 C++
ole32.dll!ClipboardWndProc(HWND__ * hWnd=0x0011153e, unsigned int msg=773, unsigned int wParam=50201, long lParam=0) Line 810 C++
user32.dll!__InternalCallWinProc@20
() Unknown
user32.dll!_UserCallWinProcCheckWow@36
() Unknown
user32.dll!_DispatchClientMessage@24
() Unknown
user32.dll!___fnDWORD@4
() Unknown
ntdll.dll!_KiUserCallbackDispatcher@12
() Unknown
user32.dll!_NtUserGetClipboardData@8
() Unknown
user32.dll!_GetClipboardData@4
() Unknown
ole32.dll!FlushViaUser32Render(HWND__ * hClipWnd, FORMATETCDATAARRAY * pFormatEtcDataArray=0x07a48748) Line 2338 C++
ole32.dll!OleFlushClipboardInternal(const wchar_t * pszCallerPackgeFullName, bool fInBroker, bool fTextOnly=false) Line 2590 C++
ole32.dll!OleFlushClipboard() Line 2285 C++
qwindows.dll!QWindowsClipboard::clipboardViewerWndProc(HWND__ * hwnd=0x0024180a, unsigned int message=2, unsigned int wParam=0, long lParam=0, long * result=0x005bf49c) Line 281 C++
qwindows.dll!qClipboardViewerWndProc(HWND__ * hwnd=0x0024180a, unsigned int message=2, unsigned int wParam=0, long lParam=0) Line 123 C++
user32.dll!__InternalCallWinProc@20
() Unknown
user32.dll!_UserCallWinProcCheckWow@36
() Unknown
user32.dll!_DispatchClientMessage@24
() Unknown
user32.dll!___fnDWORD@4
() Unknown
ntdll.dll!_KiUserCallbackDispatcher@12
() Unknown
kernel32.dll!@BaseThreadInitThunk@12
() Unknown
ntdll.dll!__RtlUserThreadStart() Unknown
ntdll.dll!__RtlUserThreadStart@8
() Unknown
Looking in qjp2handle.cpp, Jpeg2000JasperReader::newRGBAImage we can see the return value from jas_image_create is never checked before use in jas_image_setcmpttype.
jas_image_create can return 0.