From 42bd879e2bc6e0d8370d320cca17df36ea68d570 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20L=C3=B6hning?= <robert.loehning@qt.io>
Date: Mon, 16 Dec 2024 23:55:38 +0100
Subject: [PATCH] QRadialGradient: Fix crash on huge x values

Credit to OSS-Fuzz

Fixes: QTBUG-130992
Pick-to: 6.9 6.8
Change-Id: Iefaa6964966f6828bc23a603f085d283189f1a3b
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 src/gui/painting/qdrawhelper_p.h                  |  6 +++++-
 tests/auto/gui/painting/qpainter/tst_qpainter.cpp | 14 ++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/src/gui/painting/qdrawhelper_p.h b/src/gui/painting/qdrawhelper_p.h
index 482a2da206e..eeef60d793b 100644
--- a/src/gui/painting/qdrawhelper_p.h
+++ b/src/gui/painting/qdrawhelper_p.h
@@ -432,7 +432,11 @@ const BlendType * QT_FASTCALL qt_fetch_radial_gradient_template(BlendType *buffe
         qreal delta_det = (b_delta_b + delta_bb + 4 * op->radial.a * (rx_plus_ry + delta_rxrxryry)) * inv_a;
         const qreal delta_delta_det = (delta_b_delta_b + 4 * op->radial.a * delta_rx_plus_ry) * inv_a;
 
-        RadialFetchFunc::fetch(buffer, end, op, data, det, delta_det, delta_delta_det, b, delta_b);
+        if (std::isfinite(float(det)) && std::isfinite(float(delta_det))
+            && std::isfinite(float(delta_delta_det)))
+            RadialFetchFunc::fetch(buffer, end, op, data, det, delta_det, delta_delta_det, b, delta_b);
+        else
+            RadialFetchFunc::memfill(buffer, RadialFetchFunc::null(), length);
     } else {
         qreal rw = data->m23 * (y + qreal(0.5))
                    + data->m33 + data->m13 * (x + qreal(0.5));
diff --git a/tests/auto/gui/painting/qpainter/tst_qpainter.cpp b/tests/auto/gui/painting/qpainter/tst_qpainter.cpp
index 168026f9aa4..9ef5c6f34e1 100644
--- a/tests/auto/gui/painting/qpainter/tst_qpainter.cpp
+++ b/tests/auto/gui/painting/qpainter/tst_qpainter.cpp
@@ -171,6 +171,7 @@ private slots:
 #endif
 
     void radialGradient_QTBUG120332_ubsan();
+    void radialGradient_QTBUG130992_crash();
     void fpe_pixmapTransform();
     void fpe_zeroLengthLines();
     void fpe_divByZero();
@@ -3928,6 +3929,19 @@ void tst_QPainter::radialGradient_QTBUG120332_ubsan()
     painter.fillRect(image.rect(), QBrush(gradient));
 }
 
+void tst_QPainter::radialGradient_QTBUG130992_crash()
+{
+    // Check if Radial Gradient will crash on extreme values
+    // The crash was found by oss-fuzz, see
+    // https://issues.oss-fuzz.com/issues/42533347
+    QImage image(8, 8, QImage::Format_ARGB32_Premultiplied);
+    QPainter painter(&image);
+
+    constexpr qreal hugeValue = 1.1E37;
+    QRadialGradient gradient(hugeValue, 0.5, 0.5, hugeValue, 0.5);
+    painter.fillRect(image.rect(), QBrush(gradient));
+}
+
 void tst_QPainter::gradientInterpolation()
 {
     QImage image(256, 8, QImage::Format_ARGB32_Premultiplied);