Skip to content

(CVE-2021-38593) 3 Backports around avoiding processing-intensive painting of high number of tiny dashes

Andreas Sturmlechner requested to merge asturmlechner/qtbase:CVE-2021-38593 into kde/5.15

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35566

[PATCH 1/3] Avoid processing-intensive painting of high number of tiny dashes

When stroking a dashed path, an unnecessary amount of processing would
be spent if there is a huge number of dashes visible, e.g. because of
scaling. Since the dashes are too small to be indivdually visible
anyway, just replace with a semi-transparent solid line for such
cases.

Pick-to: 6.1 6.0 5.15
Change-Id: I9e9f7861257ad5bce46a0cf113d1a9d7824911e6
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
(cherry picked from commit f4d791b330d02777fcaf02938732892eb3167e9b)

* asturmlechner 2021-08-21:
Conflict from preceding 94dd2ceb in dev branch:
	src/gui/painting/qpaintengineex.cpp
	Resolved via:

     if (pen.style() > Qt::SolidLine) {
         QRectF cpRect = path.controlPointRect();
         const QTransform &xf = state()->matrix;
-        if (pen.isCosmetic()) {
+        if (qt_pen_is_cosmetic(pen, state()->renderHints)){
             clipRect = d->exDeviceRect;
             cpRect.translate(xf.dx(), xf.dy());
         } else {

FTBFS from preceding 471e4fcb in dev branch changing QVector to QList:
	Resolved via:

         QRectF extentRect = cpRect.adjusted(-pw, -pw, pw, pw) & clipRect;
         qreal extent = qMax(extentRect.width(), extentRect.height());
         qreal patternLength = 0;
-        const QList<qreal> pattern = pen.dashPattern();
+        const QVector<qreal> pattern = pen.dashPattern();
         const int patternSize = qMin(pattern.size(), 32);
         for (int i = 0; i < patternSize; i++)
             patternLength += qMax(pattern.at(i), qreal(0));

[PATCH 2/3] Improve fix for avoiding huge number of tiny dashes

Some pathological cases were not caught by the previous fix.

Fixes: QTBUG-95239
Pick-to: 6.2 6.1 5.15
Change-Id: I0337ee3923ff93ccb36c4d7b810a9c0667354cc5
Reviewed-by: Robert Löhning <robert.loehning@qt.io>
(cherry picked from commit 6b400e3147dcfd8cc3a393ace1bd118c93762e0c)

[PATCH 3/3] Refix for avoiding huge number of tiny dashes

Previous fix hit too widely so some valid horizontal and vertical
lines were affected; the root problem being that such lines have an
empty control point rect (width or height is 0). Fix by caculating in
the pen width.

Pick-to: 6.2 6.1 5.15
Change-Id: I7a436e873f6d485028f6759d0e2c6456f07eebdc
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
(cherry picked from commit 84aba80944a2e1c3058d7a1372e0e66676411884)

Merge request reports