Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-18547

Buffer overrun in QMacPixmapData::macCreatePixels (QPixmap_mac.cpp)

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P1: Critical
    • 4.7.4
    • 4.7.1
    • Image formats
    • None
    • OSX 10.5, Carbon build using xcode 2.5 (but it doesn't matter, IMHO, if you get to that code, you're toast.)
    • macOS
    • 348894a550510e54e7709d18676b4b10c9e5e9e3

    Description

      Compile and run this bit of code:

      QPixmap testPixmap (10,10);
QImage testImage2(1,10, QImage::Format_RGB32);
testPixmap.convertFromImage( testImage2 );

      The code creates a 10x10 pixmap, and then re-initiaizes the pixmap by converting an image of 1x10.

      This causes a buffer overrun in QMacPixmapData::macCreatePixels, in this line:

      if (pixels)
    memcpy(base_pixels, pixels, pixelsSize);

      The reason is that the target of the memcopy has been allocated like this:

      base_pixels = static_cast<quint32 *>(malloc(numBytes));

      where numBytes is 160. However, pixelsSize is still the old size (480 in this case), causing 480 bytes to be copied into a 160 byte memory region.

      If you're lucky, this results in a 'EXC_BAD_ACCESS' on osx, if not your program runs with its data corrupted.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            jiang Jiang Jiang
            legolas Arnt Witteveen
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes