--- src/kernel/qimage.cpp Thu Oct 19 14:41:41 CEST 2006
+++ src/kernel/qimage.cpp Thu Oct 19 14:41:41 CEST 2006
@@ -475,7 +475,12 @@
Endian bitOrder )
{
init();
- if ( w <= 0 || h <= 0 || depth <= 0 || numColors < 0 )
+ int bpl = ((w*depth+31)/32)*4; // bytes per scanline
+ if ( w <= 0 || h <= 0 || depth <= 0 || numColors < 0
+ || INT_MAX / sizeof(uchar *) < uint(h)
+ || INT_MAX / uint(depth) < uint(w)
+ || bpl <= 0
+ || INT_MAX / uint(bpl) < uint(h) )
return; // invalid parameter(s)
data->w = w;
data->h = h;
@@ -483,7 +488,6 @@
data->ncols = depth != 32 ? numColors : 0;
if ( !yourdata )
return; // Image header info can be saved without needing to allocate memory.
- int bpl = ((w*depth+31)/32)*4; // bytes per scanline
data->nbytes = bpl*h;
if ( colortable || !data->ncols ) {
data->ctbl = colortable;
@@ -525,7 +529,10 @@
Endian bitOrder )
{
init();
- if ( !yourdata || w <= 0 || h <= 0 || depth <= 0 || numColors < 0 )
+ if ( !yourdata || w <= 0 || h <= 0 || depth <= 0 || numColors < 0
+ || INT_MAX / sizeof(uchar *) < uint(h)
+ || INT_MAX / uint(bpl) < uint(h)
+ )
return; // invalid parameter(s)
data->w = w;
data->h = h;
@@ -1264,7 +1271,7 @@
if ( data->ncols != numColors ) // could not alloc color table
return FALSE;
- if ( INT_MAX / depth < width) { // sanity check for potential overflow
+ if ( INT_MAX / uint(depth) < uint(width) ) { // sanity check for potential overflow
setNumColors( 0 );
return FALSE;
}
@@ -1277,7 +1284,9 @@
// #### WWA: shouldn't this be (width*depth+7)/8:
const int pad = bpl - (width*depth)/8; // pad with zeros
#endif
- if (INT_MAX / bpl < height) { // sanity check for potential overflow
+ if ( INT_MAX / uint(bpl) < uint(height)
+ || bpl < 0
+ || INT_MAX / sizeof(uchar *) < uint(height) ) { // sanity check for potential overflow
setNumColors( 0 );
return FALSE;
}
--- src/kernel/qpixmap_x11.cpp Thu Oct 19 14:41:41 CEST 2006
+++ src/kernel/qpixmap_x11.cpp Thu Oct 19 14:41:41 CEST 2006
@@ -953,6 +953,9 @@
bool force_mono = (dd == 1 || isQBitmap() ||
(conversion_flags & ColorMode_Mask)==MonoOnly );
+ if ( w >= 32768 || h >= 32768 )
+ return FALSE;
+
// get rid of the mask
delete data->mask;
data->mask = 0;
@@ -1678,11 +1681,11 @@
QPixmap QPixmap::xForm( const QWMatrix &matrix ) const
{
- int w = 0;
- int h = 0; // size of target pixmap
- int ws, hs; // size of source pixmap
+ uint w = 0;
+ uint h = 0; // size of target pixmap
+ uint ws, hs; // size of source pixmap
uchar *dptr; // data in target pixmap
- int dbpl, dbytes; // bytes per line/bytes total
+ uint dbpl, dbytes; // bytes per line/bytes total
uchar *sptr; // data in original pixmap
int sbpl; // bytes per line in original
int bpp; // bits per pixel
@@ -1697,19 +1700,24 @@
QWMatrix mat( matrix.m11(), matrix.m12(), matrix.m21(), matrix.m22(), 0., 0. );
+ double scaledWidth;
+ double scaledHeight;
+
if ( matrix.m12() == 0.0F && matrix.m21() == 0.0F ) {
if ( matrix.m11() == 1.0F && matrix.m22() == 1.0F )
return *this; // identity matrix
- h = qRound( matrix.m22()*hs );
- w = qRound( matrix.m11()*ws );
- h = QABS( h );
- w = QABS( w );
+ scaledHeight = matrix.m22()*hs;
+ scaledWidth = matrix.m11()*ws;
+ h = QABS( qRound( scaledHeight ) );
+ w = QABS( qRound( scaledWidth ) );
} else { // rotation or shearing
QPointArray a( QRect(0,0,ws+1,hs+1) );
a = mat.map( a );
QRect r = a.boundingRect().normalize();
w = r.width()-1;
h = r.height()-1;
+ scaledWidth = w;
+ scaledHeight = h;
}
mat = trueMatrix( mat, ws, hs ); // true matrix
@@ -1718,7 +1726,8 @@
bool invertible;
mat = mat.invert( &invertible ); // invert matrix
- if ( h == 0 || w == 0 || !invertible ) { // error, return null pixmap
+ if ( h == 0 || w == 0 || !invertible
+ || QABS(scaledWidth) >= 32768 || QABS(scaledHeight) >= 32768 ) { // error, return null pixmap
QPixmap pm;
pm.data->bitmap = data->bitmap;
return pm;
