Details
-
Bug
-
Resolution: Done
-
P1: Critical
-
4.7.1
-
None
-
OSX 10.5, Carbon build using xcode 2.5 (but it doesn't matter, IMHO, if you get to that code, you're toast.)
-
-
348894a550510e54e7709d18676b4b10c9e5e9e3
Description
Compile and run this bit of code:
QPixmap testPixmap (10,10); QImage testImage2(1,10, QImage::Format_RGB32); testPixmap.convertFromImage( testImage2 );
The code creates a 10x10 pixmap, and then re-initiaizes the pixmap by converting an image of 1x10.
This causes a buffer overrun in QMacPixmapData::macCreatePixels, in this line:
if (pixels)
memcpy(base_pixels, pixels, pixelsSize);
The reason is that the target of the memcopy has been allocated like this:
base_pixels = static_cast<quint32 *>(malloc(numBytes));
where numBytes is 160. However, pixelsSize is still the old size (480 in this case), causing 480 bytes to be copied into a 160 byte memory region.
If you're lucky, this results in a 'EXC_BAD_ACCESS' on osx, if not your program runs with its data corrupted.