Avoid integer overflow and division by zero

Restrain patterns to sensible lengths and values. [ChangeLog][QCosmeticStroker] Pen patterns are restrained to a maximum length and values of 1024, fixing oss-fuzz issue 25310. Change-Id: If062f8336ff5ad113258391b0d70b8ac6f42c4b3 Reviewed-by: Robert Loehning <robert.loehning@qt.io> Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io> (cherry picked from commit 1ff25785ff93d0bd3d597e3a65a261bdbfa13c3b)
2020-11-23 11:54:48 +01:00 · 2020-11-23 11:54:48 +01:00 · e2c0cc9bb3
commit e2c0cc9bb3
parent 00326c9dc1
1 changed files with 3 additions and 3 deletions
--- a/src/gui/painting/qcosmeticstroker.cpp
+++ b/src/gui/painting/qcosmeticstroker.cpp
@ -250,7 +250,7 @@ void QCosmeticStroker::setup()
        strokeSelection |= AntiAliased;

    const QVector<qreal> &penPattern = state->lastPen.dashPattern();
-    if (penPattern.isEmpty()) {
+    if (penPattern.isEmpty() || penPattern.size() > 1024) {
        Q_ASSERT(!pattern && !reversePattern);
        pattern = 0;
        reversePattern = 0;
@ -263,12 +263,12 @@ void QCosmeticStroker::setup()

        patternLength = 0;
        for (int i = 0; i < patternSize; ++i) {
-            patternLength += (int) qMax(1. , penPattern.at(i)*64.);
+            patternLength += (int)qBound(1., penPattern.at(i) * 64, 65536.);
            pattern[i] = patternLength;
        }
        patternLength = 0;
        for (int i = 0; i < patternSize; ++i) {
-            patternLength += (int) qMax(1., penPattern.at(patternSize - 1 - i)*64.);
+            patternLength += (int)qBound(1., penPattern.at(patternSize - 1 - i) * 64, 65536.);
            reversePattern[i] = patternLength;
        }
        strokeSelection |= Dashed;