Details
-
Bug
-
Resolution: Done
-
P1: Critical
-
5.5.0
-
None
-
01c15a94387f8791e2bd600519de98bd0e03f266
Description
Specific commit:
introduces undefined behaviour because of getting out of bounds.
Previously there was "if(XAP > 0){" condition and only in that case we dereferenced both "pix" and "pix+1", which was not evaluated when "y == dh - 1 && x == end - 1", and if "XAP == 0" just value of "pix" (equal to "&sptr[xpoints[x] ]" equal to "ypoints[dyy + y] + xpoints[x]") was used.
But after that commit it was replaced by a short:
for (int x = dxx; x < end; x++) {
const unsigned int *pix = sptr + xpoints[x];
const int xap = xapoints[x];
*dptr = INTERPOLATE_PIXEL_256(pix[0], 256 - xap, pix[1], xap);
dptr++;
}
in which we always look at pix[1] even if pix is already pointing to the last allocated int (and is not used, because xap is zero and pix[1] is multiplied by zero), which causes undefined behaviour and crashes in OS X (at least).
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-
| For Gerrit Dashboard: QTBUG-47228 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 122212,3 | Fix out-of-buffer read on image upscale | 5.5 | qt/qtbase | Status: MERGED | +2 | 0 |