--- ./src/kernel/qpixmap_x11.cpp.orig 2005-01-21 11:16:11.000000000 -0600 +++ ./src/kernel/qpixmap_x11.cpp 2006-10-23 17:14:13.000000000 -0500 @@ -950,6 +950,9 @@ bool force_mono = (dd == 1 || isQBitmap() || (conversion_flags & ColorMode_Mask)==MonoOnly ); + if ( w >= 32768 || h >= 32768 ) + return FALSE; + // get rid of the mask delete data->mask; data->mask = 0; @@ -1675,11 +1678,11 @@ QPixmap QPixmap::xForm( const QWMatrix &matrix ) const { - int w = 0; - int h = 0; // size of target pixmap - int ws, hs; // size of source pixmap + uint w = 0; + uint h = 0; // size of target pixmap + uint ws, hs; // size of source pixmap uchar *dptr; // data in target pixmap - int dbpl, dbytes; // bytes per line/bytes total + uint dbpl, dbytes; // bytes per line/bytes total uchar *sptr; // data in original pixmap int sbpl; // bytes per line in original int bpp; // bits per pixel @@ -1694,19 +1697,24 @@ QWMatrix mat( matrix.m11(), matrix.m12(), matrix.m21(), matrix.m22(), 0., 0. ); + double scaledWidth; + double scaledHeight; + if ( matrix.m12() == 0.0F && matrix.m21() == 0.0F ) { if ( matrix.m11() == 1.0F && matrix.m22() == 1.0F ) return *this; // identity matrix - h = qRound( matrix.m22()*hs ); - w = qRound( matrix.m11()*ws ); - h = QABS( h ); - w = QABS( w ); + scaledHeight = matrix.m22()*hs; + scaledWidth = matrix.m11()*ws; + h = QABS( qRound( scaledHeight ) ); + w = QABS( qRound( scaledWidth ) ); } else { // rotation or shearing QPointArray a( QRect(0,0,ws+1,hs+1) ); a = mat.map( a ); QRect r = a.boundingRect().normalize(); w = r.width()-1; h = r.height()-1; + scaledWidth = w; + scaledHeight = h; } mat = trueMatrix( mat, ws, hs ); // true matrix @@ -1715,7 +1723,8 @@ bool invertible; mat = mat.invert( &invertible ); // invert matrix - if ( h == 0 || w == 0 || !invertible ) { // error, return null pixmap + if ( h == 0 || w == 0 || !invertible + || QABS(scaledWidth) >= 32768 || QABS(scaledHeight) >= 32768 ) { // error, return null pixmap QPixmap pm; pm.data->bitmap = data->bitmap; return pm; --- ./src/kernel/qimage.cpp.orig 2005-01-21 11:16:11.000000000 -0600 +++ ./src/kernel/qimage.cpp 2006-10-23 17:14:12.000000000 -0500 @@ -475,7 +475,12 @@ Endian bitOrder ) { init(); - if ( w <= 0 || h <= 0 || depth <= 0 || numColors < 0 ) + int bpl = ((w*depth+31)/32)*4; // bytes per scanline + if ( w <= 0 || h <= 0 || depth <= 0 || numColors < 0 + || INT_MAX / sizeof(uchar *) < uint(h) + || INT_MAX / uint(depth) < uint(w) + || bpl <= 0 + || INT_MAX / uint(bpl) < uint(h) ) return; // invalid parameter(s) data->w = w; data->h = h; @@ -483,7 +488,6 @@ data->ncols = depth != 32 ? numColors : 0; if ( !yourdata ) return; // Image header info can be saved without needing to allocate memory. - int bpl = ((w*depth+31)/32)*4; // bytes per scanline data->nbytes = bpl*h; if ( colortable || !data->ncols ) { data->ctbl = colortable; @@ -523,7 +527,10 @@ Endian bitOrder ) { init(); - if ( !yourdata || w <= 0 || h <= 0 || depth <= 0 || numColors < 0 ) + if ( !yourdata || w <= 0 || h <= 0 || depth <= 0 || numColors < 0 + || INT_MAX / sizeof(uchar *) < uint(h) + || INT_MAX / uint(bpl) < uint(h) + ) return; // invalid parameter(s) data->w = w; data->h = h; @@ -1259,7 +1266,7 @@ if ( data->ncols != numColors ) // could not alloc color table return FALSE; - if ( INT_MAX / depth < width) { // sanity check for potential overflow + if ( INT_MAX / uint(depth) < uint(width) ) { // sanity check for potential overflow setNumColors( 0 ); return FALSE; } @@ -1272,7 +1279,9 @@ // #### WWA: shouldn't this be (width*depth+7)/8: const int pad = bpl - (width*depth)/8; // pad with zeros #endif - if (INT_MAX / bpl < height) { // sanity check for potential overflow + if ( INT_MAX / uint(bpl) < uint(height) + || bpl < 0 + || INT_MAX / sizeof(uchar *) < uint(height) ) { // sanity check for potential overflow setNumColors( 0 ); return FALSE; }