From 78a45e4a65d35687a4a778abd0b2d57eaf1fb7cc Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Tue, 4 Jul 2023 16:08:56 +0200
Subject: [PATCH] Make while iterations over height safer

Changing the repeating pattern to one that can survive negative numbers,
even if most places it isn't possible.

Fixes: QTBUG-115003
Change-Id: I636e246b00a9dda65c147dff3e1f1d1a748d1879
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
(cherry picked from commit 7c6be5e884db0be343fe767683c6b0a8c194ce45)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/gui/painting/qblendfunctions.cpp      |  4 ++--
 src/gui/painting/qblendfunctions_p.h      |  4 ++--
 src/gui/painting/qdrawhelper.cpp          | 10 +++++-----
 src/gui/painting/qdrawhelper_mips_dsp.cpp |  4 ++--
 src/gui/painting/qdrawhelper_neon.cpp     |  6 +++---
 src/gui/painting/qdrawhelper_sse2.cpp     |  8 ++++----
 6 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/src/gui/painting/qblendfunctions.cpp b/src/gui/painting/qblendfunctions.cpp
index 2a51d062046..fa9f89262c6 100644
--- a/src/gui/painting/qblendfunctions.cpp
+++ b/src/gui/painting/qblendfunctions.cpp
@@ -152,7 +152,7 @@ void qt_blend_rgb16_on_rgb16(uchar *dst, int dbpl,
 
     if (const_alpha == 256) {
         int length = w << 1;
-        while (h--) {
+        while (--h >= 0) {
             memcpy(dst, src, length);
             dst += dbpl;
             src += sbpl;
@@ -162,7 +162,7 @@ void qt_blend_rgb16_on_rgb16(uchar *dst, int dbpl,
         const quint16 *s = (const quint16 *) src;
         quint8 a = (255 * const_alpha) >> 8;
         quint8 ia = 255 - a;
-        while (h--) {
+        while (--h >= 0) {
             for (int x=0; x<w; ++x) {
                 d[x] = BYTE_MUL_RGB16(s[x], a) + BYTE_MUL_RGB16(d[x], ia);
             }
diff --git a/src/gui/painting/qblendfunctions_p.h b/src/gui/painting/qblendfunctions_p.h
index 90a7dbcf64c..2f5ed36c736 100644
--- a/src/gui/painting/qblendfunctions_p.h
+++ b/src/gui/painting/qblendfunctions_p.h
@@ -89,7 +89,7 @@ void qt_scale_image_16bit(uchar *destPixels, int dbpl,
     if (xend < 0 || xend >= (int)(sbpl/sizeof(SRC)))
         --w;
 
-    while (h--) {
+    while (--h >= 0) {
         const SRC *src = (const SRC *) (srcPixels + (srcy >> 16) * sbpl);
         quint32 srcx = basex;
         int x = 0;
@@ -180,7 +180,7 @@ template <typename T> void qt_scale_image_32bit(uchar *destPixels, int dbpl,
     if (xend < 0 || xend >= (int)(sbpl/sizeof(quint32)))
         --w;
 
-    while (h--) {
+    while (--h >= 0) {
         const uint *src = (const quint32 *) (srcPixels + (srcy >> 16) * sbpl);
         quint32 srcx = basex;
         int x = 0;
diff --git a/src/gui/painting/qdrawhelper.cpp b/src/gui/painting/qdrawhelper.cpp
index c6b6a8b6a48..1c62d54fcdb 100644
--- a/src/gui/painting/qdrawhelper.cpp
+++ b/src/gui/painting/qdrawhelper.cpp
@@ -5100,7 +5100,7 @@ inline void qt_bitmapblit_template(QRasterBuffer *rasterBuffer,
     const int destStride = rasterBuffer->stride<DST>();
 
     if (mapWidth > 8) {
-        while (mapHeight--) {
+        while (--mapHeight >= 0) {
             int x0 = 0;
             int n = 0;
             for (int x = 0; x < mapWidth; x += 8) {
@@ -5130,7 +5130,7 @@ inline void qt_bitmapblit_template(QRasterBuffer *rasterBuffer,
             map += mapStride;
         }
     } else {
-        while (mapHeight--) {
+        while (--mapHeight >= 0) {
             int x0 = 0;
             int n = 0;
             for (uchar s = *map; s; s <<= 1) {
@@ -5438,7 +5438,7 @@ void qt_alphamapblit_quint16(QRasterBuffer *rasterBuffer,
     if (!clip) {
         quint16 *dest = reinterpret_cast<quint16*>(rasterBuffer->scanLine(y)) + x;
         const int destStride = rasterBuffer->stride<quint16>();
-        while (mapHeight--) {
+        while (--mapHeight >= 0) {
             for (int i = 0; i < mapWidth; ++i)
                 alphamapblend_quint16(map[i], dest, i, c);
             dest += destStride;
@@ -5492,7 +5492,7 @@ static void qt_alphamapblit_argb32(QRasterBuffer *rasterBuffer,
 
     if (!clip) {
         quint32 *dest = reinterpret_cast<quint32*>(rasterBuffer->scanLine(y)) + x;
-        while (mapHeight--) {
+        while (--mapHeight >= 0) {
             for (int i = 0; i < mapWidth; ++i) {
                 const int coverage = map[i];
                 alphamapblend_argb32(dest + i, coverage, srcColor, c, colorProfile);
@@ -5810,7 +5810,7 @@ static void qt_alphargbblit_argb32(QRasterBuffer *rasterBuffer,
     if (!clip) {
         quint32 *dst = reinterpret_cast<quint32*>(rasterBuffer->scanLine(y)) + x;
         const int destStride = rasterBuffer->stride<quint32>();
-        while (mapHeight--) {
+        while (--mapHeight >= 0) {
             for (int i = 0; i < mapWidth; ++i) {
                 const uint coverage = src[i];
                 alphargbblend_argb32(dst + i, coverage, srcColor, c, colorProfile);
diff --git a/src/gui/painting/qdrawhelper_mips_dsp.cpp b/src/gui/painting/qdrawhelper_mips_dsp.cpp
index af2c6598b2c..86dcde2b58c 100644
--- a/src/gui/painting/qdrawhelper_mips_dsp.cpp
+++ b/src/gui/painting/qdrawhelper_mips_dsp.cpp
@@ -95,7 +95,7 @@ void qt_blend_rgb16_on_rgb16_mips_dspr2(uchar *destPixels, int dbpl,
         }
         else {
             int length = w << 1;
-            while (h--) {
+            while (--h >= 0) {
                 memcpy(destPixels, srcPixels, length);
                 destPixels += dbpl;
                 srcPixels += sbpl;
@@ -130,7 +130,7 @@ void qt_blend_rgb16_on_rgb16_mips_dsp(uchar *destPixels, int dbpl,
         }
         else {
             int length = w << 1;
-            while (h--) {
+            while (--h >= 0) {
                 memcpy(destPixels, srcPixels, length);
                 destPixels += dbpl;
                 srcPixels += sbpl;
diff --git a/src/gui/painting/qdrawhelper_neon.cpp b/src/gui/painting/qdrawhelper_neon.cpp
index 17ec693649b..1fceb83710b 100644
--- a/src/gui/painting/qdrawhelper_neon.cpp
+++ b/src/gui/painting/qdrawhelper_neon.cpp
@@ -185,7 +185,7 @@ void qt_blend_rgb16_on_argb32_neon(uchar *destPixels, int dbpl,
         quint8 a = (255 * const_alpha) >> 8;
         quint8 ia = 255 - a;
 
-        while (h--) {
+        while (--h >= 0) {
             for (int x=0; x<w; ++x)
                 dst[x] = INTERPOLATE_PIXEL_255(qConvertRgb16To32(src[x]), a, dst[x], ia);
             dst += dbpl;
@@ -228,7 +228,7 @@ static inline void blockBlit16(quint16 *dst, quint16 *src, int dstride, int sstr
     u.pointer = dst;
 
     if (u.address & 2) {
-        while (h--) {
+        while (--h >= 0) {
             // align dst
             dst[0] = src[0];
             if (Width > 1)
@@ -237,7 +237,7 @@ static inline void blockBlit16(quint16 *dst, quint16 *src, int dstride, int sstr
             src += sstride;
         }
     } else {
-        while (h--) {
+        while (--h >= 0) {
             scanLineBlit16<Width>(dst, src, dstride);
 
             dst += dstride;
diff --git a/src/gui/painting/qdrawhelper_sse2.cpp b/src/gui/painting/qdrawhelper_sse2.cpp
index bc9286ab38f..79590534f31 100644
--- a/src/gui/painting/qdrawhelper_sse2.cpp
+++ b/src/gui/painting/qdrawhelper_sse2.cpp
@@ -361,7 +361,7 @@ void qt_bitmapblit32_sse2_base(QRasterBuffer *rasterBuffer, int x, int y,
                                                 0x04040404, 0x08080808);
         const __m128i maskadd2 = _mm_set_epi32(0x7f7f7f7f, 0x7e7e7e7e,
                                                0x7c7c7c7c, 0x78787878);
-        while (height--) {
+        while (--height >= 0) {
             for (int x = 0; x < width; x += 8) {
                 const quint8 s = src[x >> 3];
                 if (!s)
@@ -380,7 +380,7 @@ void qt_bitmapblit32_sse2_base(QRasterBuffer *rasterBuffer, int x, int y,
             src += stride;
         }
     } else {
-        while (height--) {
+        while (--height >= 0) {
             const quint8 s = *src;
             if (s) {
                 __m128i mask1 = _mm_set1_epi8(s);
@@ -423,7 +423,7 @@ QT_WARNING_DISABLE_MSVC(4309) // truncation of constant value
     const __m128i maskadd = _mm_set_epi16(0x7f7f, 0x7e7e, 0x7c7c, 0x7878,
                                           0x7070, 0x6060, 0x4040, 0x0000);
 
-    while (height--) {
+    while (--height >= 0) {
         for (int x = 0; x < width; x += 8) {
             const quint8 s = src[x >> 3];
             if (!s)
@@ -558,7 +558,7 @@ void qt_scale_image_argb32_on_argb32_sse2(uchar *destPixels, int dbpl,
     if (xend < 0 || xend >= (int)(sbpl/sizeof(quint32)))
         --w;
 
-    while (h--) {
+    while (--h >= 0) {
         const uint *src = (const quint32 *) (srcPixels + (srcy >> 16) * sbpl);
         int srcx = basex;
         int x = 0;