Details
-
Bug
-
Resolution: Unresolved
-
P1: Critical
-
None
-
6.10
-
None
-
a66f51fe8 (dev)
Description
QPicture keeps a "bounding rectangle" of its drawing. It can either be set by the user, or it gets automatically calculated by the drawing commands:
void QPicturePaintEngine::writeCmdLength(int pos, const QRectF &r, bool corr) { .... // update the calculated bounding rectangle: if (br.width() > 0.0 || br.height() > 0.0) { int minx = qFloor(br.left()); int miny = qFloor(br.top()); int maxx = qCeil(br.right()); int maxy = qCeil(br.bottom()); if (d->pic_d->brect.width() > 0 || d->pic_d->brect.height() > 0) { minx = qMin(minx, d->pic_d->brect.left()); miny = qMin(miny, d->pic_d->brect.top()); maxx = qMax(maxx, d->pic_d->brect.x() + d->pic_d->brect.width()); maxy = qMax(maxy, d->pic_d->brect.y() + d->pic_d->brect.height()); d->pic_d->brect = QRect(minx, miny, maxx - minx, maxy - miny); } else { d->pic_d->brect = QRect(minx, miny, maxx - minx, maxy - miny); } } } }
If a drawing spans over INT_MAX units, the subtractions to calculate width/height will overflow, breaking the resulting bounding rect.
A local fix isn't sufficient, because QPicture also streams out its bounding rectangle (either calculated or set by the user), and the protocol streams out the width and the height, even though they may be meaningless (overflowing):
bool QPicturePaintEngine::end()
{
...
if (d->pic_d->formatMajor >= 4) { // bounding rectangle
QRect r = static_cast<QPicture *>(d->pdev)->boundingRect();
d->s << (qint32) r.left() << (qint32) r.top() << (qint32) r.width()
<< (qint32) r.height();
}
Attachments
Gerrit Reviews
| For Gerrit Dashboard: QTBUG-133293 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 620826,11 | QPicture: (almost) work around overflow in bounding box calculations | dev | qt/qtbase | Status: MERGED | +2 | 0 |