QRadialGradient: Fix crash on huge x values

Credit to OSS-Fuzz Fixes: QTBUG-130992 Pick-to: 6.9 6.8 Change-Id: Iefaa6964966f6828bc23a603f085d283189f1a3b Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
2024-12-16 23:55:38 +01:00 · 2024-12-16 23:55:38 +01:00 · 42bd879e2b
commit 42bd879e2b
parent 02920ef05a
2 changed files with 19 additions and 1 deletions
--- a/src/gui/painting/qdrawhelper_p.h
+++ b/src/gui/painting/qdrawhelper_p.h
@ -432,7 +432,11 @@ const BlendType * QT_FASTCALL qt_fetch_radial_gradient_template(BlendType *buffe
        qreal delta_det = (b_delta_b + delta_bb + 4 * op->radial.a * (rx_plus_ry + delta_rxrxryry)) * inv_a;
        const qreal delta_delta_det = (delta_b_delta_b + 4 * op->radial.a * delta_rx_plus_ry) * inv_a;

-        RadialFetchFunc::fetch(buffer, end, op, data, det, delta_det, delta_delta_det, b, delta_b);
+        if (std::isfinite(float(det)) && std::isfinite(float(delta_det))
+            && std::isfinite(float(delta_delta_det)))
+            RadialFetchFunc::fetch(buffer, end, op, data, det, delta_det, delta_delta_det, b, delta_b);
+        else
+            RadialFetchFunc::memfill(buffer, RadialFetchFunc::null(), length);
    } else {
        qreal rw = data->m23 * (y + qreal(0.5))
                   + data->m33 + data->m13 * (x + qreal(0.5));
--- a/tests/auto/gui/painting/qpainter/tst_qpainter.cpp
+++ b/tests/auto/gui/painting/qpainter/tst_qpainter.cpp
@ -171,6 +171,7 @@ private slots:
 #endif

    void radialGradient_QTBUG120332_ubsan();
+    void radialGradient_QTBUG130992_crash();
    void fpe_pixmapTransform();
    void fpe_zeroLengthLines();
    void fpe_divByZero();
@ -3928,6 +3929,19 @@ void tst_QPainter::radialGradient_QTBUG120332_ubsan()
    painter.fillRect(image.rect(), QBrush(gradient));
 }

+void tst_QPainter::radialGradient_QTBUG130992_crash()
+{
+    // Check if Radial Gradient will crash on extreme values
+    // The crash was found by oss-fuzz, see
+    // https://issues.oss-fuzz.com/issues/42533347
+    QImage image(8, 8, QImage::Format_ARGB32_Premultiplied);
+    QPainter painter(&image);
+
+    constexpr qreal hugeValue = 1.1E37;
+    QRadialGradient gradient(hugeValue, 0.5, 0.5, hugeValue, 0.5);
+    painter.fillRect(image.rect(), QBrush(gradient));
+}
+
 void tst_QPainter::gradientInterpolation()
 {
    QImage image(256, 8, QImage::Format_ARGB32_Premultiplied);