1berry/qtbase
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

QHeaderView: fix UB (signed overflow) in setOffset()

Browse Source 
I have no idea why setOffset() would accept all int values, but
tst_QHeaderView::getSetCheck() checks the function with both INT_MIN
and INT_MAX (albeit without having show()n the object it so tortures),
so try to make it work(-ish).

0 - INT_MIN overflows, of course, so use saturation math to calculate
the result. This might not scroll to pixel precision, but it couldn't
have done so before, either (no int value can possibly represent the
mathematical value, otherwise it wouldn't have overflown). But at
least we now don't run into UB anymore.

Said UBSan:

  qheaderview.cpp:418:9: runtime error: signed integer overflow: 0 - -2147483648 cannot be represented in type 'int'
   #0 0x7f183ffa4a5f in QHeaderView::setOffset(int) qheaderview.cpp:418
   #1 0x55f5ca56a5fe in tst_QHeaderView::getSetCheck() tst_qheaderview.cpp:437

While q26::saturate_cast was only picked to 6.8, its predecessor,
qt_saturate(), was picked to 6.2, so use that, for now, and port to
q26::saturate_cast in a follow-up.

As a drive-by, mark ndelta const.

Amends the start of the public history.

Pick-to: 6.8 6.5
Change-Id: I118c917ccd588c0b6d407090609f4d17075bbab6
Reviewed-by: Axel Spoerl <axel.spoerl@qt.io>
(cherry picked from commit 03d1e81516be9af37fa08900f9a2d88d34abc4df)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
This commit is contained in:
Marc Mutz 2025-03-26 11:08:33 +01:00 committed by Qt Cherry-pick Bot
parent 9747e0a8b1
commit 9c9146a5cd
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/widgets/itemviews/qheaderview.cpp
View File

@ -27,6 +27,7 @@
#include <private/qabstractitemmodel_p.h> #include <private/qabstractitemmodel_p.h>
#include <private/qabstractitemdelegate_p.h> #include <private/qabstractitemdelegate_p.h>
#include <QtCore/private/qnumeric_p.h>
#ifndef QT_NO_DATASTREAM #ifndef QT_NO_DATASTREAM
#include <qdatastream.h> #include <qdatastream.h>
#endif #endif
@ -415,7 +416,8 @@ void QHeaderView::setOffset(int newOffset)
Q_D(QHeaderView); Q_D(QHeaderView);
if (d->headerOffset == newOffset) if (d->headerOffset == newOffset)
return; return;
int ndelta = d->headerOffset - newOffset; // don't overflow; this function is checked with both INT_MIN and INT_MAX...
const int ndelta = qt_saturate<int>(d->headerOffset - qint64{newOffset});
d->headerOffset = newOffset; d->headerOffset = newOffset;
if (d->orientation == Qt::Horizontal) if (d->orientation == Qt::Horizontal)
d->viewport->scroll(isRightToLeft() ? -ndelta : ndelta, 0); d->viewport->scroll(isRightToLeft() ? -ndelta : ndelta, 0);