Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: P1: Critical
Fix Version/s: 4.7.0
Affects Version/s: 4.5.1, 4.5.2, 4.5.3, 4.6.1, 4.6.2
Component/s: (Inactive) GUI: QWS Integration (Qt4)
Labels:
None
Environment:
-embedded x86
-qt-gfx-vnc -qt-gfx-multiscreen

Commits:
57fcc060fdce0874309ec94bb7ab77b44554e91b

Description

In the function QVNCServer::convertPixels() (src/plugins/gfxdrivers/vnc/qscreenvnc_qws.cp around line 1450) in certain situation byte counter used as index for writing into last element of quint32 array (dereferences dst32 pointer)

quint32 *dst32 = reinterpret_cast<quint32*>(dst);
int count32 = count * sizeof(quint16) / sizeof(quint32);
while (count32--) {
...
    *dst32++ = result2;
    *dst32++ = result1;
}
if (count & 0x1) {
...
    dst32[count - 1] = qt_conv16ToRgb(src16[count - 1]);
}

write to dst32[count - 1] will cause memory corruption outside of intended buffer.

To fix the issue we replaced last assignment with:

*dst32 = qt_conv16ToRgb(src16[count - 1]);

Attachments

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Paul Olav Tvete

Reporter:: Georgiy Shapovalov

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 18 Jun '10 03:42

Updated:: 22 Jun '10 09:25

Resolved:: 21 Jun '10 12:06

Gerrit Reviews

There are no open Gerrit changes