QSGOpenGLDistanceFieldGlyphCache: Fix multiplication result truncation and UB
[PATCH 1/2] QSGOpenGLDistanceFieldGlyphCache: fix multiplication result truncation
The type of the expression int * int is int, so truncation has already
happened when the result is assigned to a qint64.
Fix by casting one of the multiplicants to qint64 before performing
the multiplication. This multiplication cannot overflow, because int
is 32-bit on all supported platforms.
The addition of 'size' to the pointer will still truncate the result,
on 32bit platforms, but that check is in itself UB. A follow-up commit
will fix the check, and with it the last truncation to 32bit.
Coverity-Id: 218769
Pick-to: 6.3 6.2 5.15
Change-Id: I0d71950695b9743db8c96d825e68bb1e9c47de02
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
(cherry picked from commit cacfc1dbb9719c0ef55cff69dad0921ce1405438)
[PATCH 2/2] QSGOpenGLDistanceFieldGlyphCache: fix UB (ordering of pointers not from the same array)
The code performed out of bounds checks by adding the size of the
buffer to a pointer and comparing the result to the the
one-past-the-end pointer of the buffer.
This is UB, for three reasons:
- in one case, a qint64 is added to a pointer, silently truncating the
result on 32bit platforms
- if the buffer overflow is large, the pointer value may wrap around,
yielding a result that is numerically less than the end pointer, but
still out-of-bounds.
- pointer order is only defined within a C array, plus one past the
end. On failure, pointers outside that range are compared.
Fix by comparing distance(it, end) with the required size for the
chunk to be written instead.
Pick-to: 6.3 6.2 5.15
Change-Id: I356bb8c8a65a93b8b1c1eb7bac381dd64bea719e
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
(cherry picked from commit 8d9bd6b381bfc759d575954801b683354ad6a790)