Details
-
Bug
-
Resolution: Unresolved
-
P4: Low
-
None
-
4.8.5, 5.5.1
-
None
Description
Hi,
I saw that the QImage::bits() can return a null pointer in several cases, ex. out of memory conditions or if the QImage has no QImageData allocated for it. If the code calling QImage::bits() doesn't verify the returned pointer, then the null pointer will be dereferenced and the app will crash. I saw this problem in several Qt libraries.
The solution would be to call QImage::isNull() before calling QImage::bits(). Or verify the result code from QImage::bits() and proceed further only if it's not null.
In my case I've run into a SIGSEGV on an embedded platform with an Arm CPU and a Mali-400MP GPU, Qt 4.8.5 was compiled with QPA. I was using QtWebkit 2.2 to visit youtube.com/tv. One crash was in libQtGui.so in src/gui/text/qtextureglyphcache.cpp:fillTexture(), m_image.bits() returned 0. Another crash for me happened in libOpenGL.so in src/opengl/gl2paintengineex/qtextureglyphcache_ql.cpp:fillTexture(), texture.constBits() returned 0. Neither check if the pointer is 0. I can provide a call stack for the crash if needed, but the cause of the crash is pretty clear.
The problem is more widespread though and not restricted to just the above two cases. Grepping through the Qt sources for '.bits(' revealed that it occurs in 159 places, '.constBits(' occurs in 24 places. By a cursory look trough the sources I saw only one place out of 15 where isNull() was called before bits(). So there's potential for crashes in a lot of places.
Regards,
Simon Boti