Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-83777

QImage crashes on save when bytesPerLine is larger than "width" 32 aligned

    XMLWordPrintable

Details

    • Windows
    • 41387bb330bb694f7e423f180bdbf88c7200985b (qt/qtbase/5.15.0)

    Description

      After more research here is what I have found:

      Documentation for 

      QImage::QImage(const uchar *data, int width, int height, QImage::Format format, QImageCleanupFunction cleanupFunction = nullptr, void *cleanupInfo = nullptr)

      should be updated not only the bytesPerLine  must be aligned on 32 but must be equal to "width" aligned on 32 and no larger.

       

      Original problem:

       

      Qt lib crashes when saving images created from user buffer with bytesPerLine aligned on 32 and larger than width (for example width: 300, bytesPerLine: 320) with format QImage::Format_Grayscale8

      At some point during saving Qt allocates temp image with bytesPerLine that is less than the user-created image then later on this code crases:

      memcpy(dest->data, src->data, src->bytes_per_line * src->height);
      

       

      Test code:

      static void conversionBufferFree(void *info)\{ _aligned_free(info);} 
      
      void TestQImage()
      
      { int width = 300; int height = 200; int stride = 320; unsigned char* buff = (unsigned char*)_aligned_malloc(size_t(stride*height), size_t(32)); Q_ASSERT((reinterpret_cast<uintptr_t>(buff) & 3) == 0); memset(buff, 0, stride*height); QImage image(buff, width, height, stride, QImage::Format_Grayscale8, conversionBufferFree, buff); image.save("D:\\0000A.bmp", "bmp");}
      

       

      problematic code in QT: the problem is that dest->bytes_per_line is 300 and src->bytes_per_line is 320 ; memcpy overwrites memory ->crash

      dest is a temp image allocated by Qt for conversion;

       

      static void convert_Grayscale8_to_Indexed8(QImageData *dest, const QImageData *src, Qt::ImageConversionFlags)
      
      { Q_ASSERT(src->format == QImage::Format_Grayscale8); Q_ASSERT(dest->format == QImage::Format_Indexed8); memcpy(dest->data, src->data, src->bytes_per_line * src->height); <<< CRASH >>>> dest->colortable = defaultColorTables->gray; }
      

       

       

      Attachments

        For Gerrit Dashboard: QTBUG-83777
        # Subject Branch Project Status CR V

        Activity

          People

            allan.jensen Allan Sandfeld Jensen
            daren Daren Tyminski
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes