From 1ee9496679ea2bf4d043937b83aa72a1b5bb6977 Mon Sep 17 00:00:00 2001
From: Volker Hilsheimer <volker.hilsheimer@qt.io>
Date: Wed, 21 Jul 2021 10:15:09 +0200
Subject: [PATCH] Prevent array-out-of-bounds access

Fixes static analyzer warning 12b19393e18b2394a398806f633c6eee, and
amends a1a6e3d21b1a4fb799dfd245fed6bb6564178894.

In the process, replace the "int& *= double" with correct integer
arithmetic that'll produce the intended result without going via
double.

Done-with: Edward Welbourne <edward.welbourne@qt.io>
Pick-to: 6.2
Task-number: QTBUG-8096
Change-Id: Ib2aa8ae46a1bfd4d121e61cf99141c0311502215
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
---
 src/gui/text/qcssparser.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/gui/text/qcssparser.cpp b/src/gui/text/qcssparser.cpp
index 62e14e92bb9..574436d6f6b 100644
--- a/src/gui/text/qcssparser.cpp
+++ b/src/gui/text/qcssparser.cpp
@@ -1601,13 +1601,17 @@ QSize Declaration::sizeValue() const
     int x[2] = { 0, 0 };
     const int count = d->values.count();
     for (int i = 0; i < count; ++i) {
+        if (i > 1) {
+            qWarning("QCssParser::sizeValue: Too many values provided");
+            break;
+        }
         const auto &value = d->values.at(i);
         const QString valueString = value.variant.toString();
         if (valueString.endsWith(u"pt", Qt::CaseInsensitive)) {
             intValueHelper(value, &x[i], "pt");
             // according to https://www.w3.org/TR/css3-values/#absolute-lengths
             // 1pt = 1/72th of 1 inch, and 1px = 1/96th of 1 inch
-            x[i] *= 72.0/96.0;
+            x[i] = (x[i] * 72) / 96;
         } else {
             // by default we use 'px'
             intValueHelper(value, &x[i], "px");