Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-37220

Buffer overflow in qt_scale_image_16bit reading from source array when qreal is single precision

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Not Evaluated
    • Resolution: Done
    • Affects Version/s: 4.8.5
    • Fix Version/s: 4.8.6, 5.3.0
    • Component/s: GUI: Painting
    • Labels:
      None
    • Commits:
      c4d8734c504cf0f313245befa34501e7314b4cd1 343df131f7207d65932c6505769aa2fb7fc04713

      Description

      Depending on memory layout and input data, you can have an access violation in function qt_scale_image_16bit, since the while loop iterates over the input buffer bounds. The problem is computing iy.
      This values is derived casting a float to int, so should be a lower bound, that's fine, since otherwise we will go out of bounds reading input data. But the float itself can be an upper bound so iy might lead to this faulting state:

      (iy * targetRect.height()) > (65536*srcRect.height()) !!

      meaning that, depending on other input values, we could iterate over input bounds. Actually the fix consists in decrementing iy by one in the above case.

      I think the issue might affect also latest releases since source code looks the same.

      Attached a small program showing the access violation exception in wce platform.

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            Assignee:
            laknoll Lars Knoll
            Reporter:
            zanettea arrigo zanette
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Gerrit Reviews

                There are no open Gerrit changes