From 8af2f7b5085ee56d289584bddbccc8dead04b9d1 Mon Sep 17 00:00:00 2001
From: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@nokia.com>
Date: Thu, 17 Jun 2010 10:43:32 +0200
Subject: Fix possible crash in QTextLayout for glyphless items

Change e1915815bc5ef86b3844608bba46769da5173363 moved part of the
right bearing check out of the "non-whitespace-or-object" block of the
layout, which could potentially cause crashes for layouts that contained
items that were line separators or tabs etc. because we would access
the logical clusters array based on the position of e.g. the tab even
though it didn't have an entry. This could potentially give us an
arbitrary index which might cause an out of bounds when accessing the
glyphs array.

Task-number: QTBUG-11427
Reviewed-by: Simon Hausmann
---
 tests/auto/qtextlayout/tst_qtextlayout.cpp | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'tests/auto/qtextlayout')

diff --git a/tests/auto/qtextlayout/tst_qtextlayout.cpp b/tests/auto/qtextlayout/tst_qtextlayout.cpp
index caf9bd3f00..6d27ef24f9 100644
--- a/tests/auto/qtextlayout/tst_qtextlayout.cpp
+++ b/tests/auto/qtextlayout/tst_qtextlayout.cpp
@@ -110,6 +110,7 @@ private slots:
     void longText();
     void widthOfTabs();
     void columnWrapWithTabs();
+    void glyphLessItems();
 
     // QTextLine stuff
     void setNumColumnsWrapAtWordBoundaryOrAnywhere();
@@ -1319,6 +1320,24 @@ void tst_QTextLayout::lineWidthFromBOM()
     // Don't spin into an infinite loop
  }
 
+void tst_QTextLayout::glyphLessItems()
+{
+    {
+        QTextLayout layout;
+        layout.setText("\t\t");
+        layout.beginLayout();
+        layout.createLine();
+        layout.endLayout();
+    }
+
+    {
+        QTextLayout layout;
+        layout.setText(QString::fromLatin1("AA") + QChar(QChar::LineSeparator));
+        layout.beginLayout();
+        layout.createLine();
+        layout.endLayout();
+    }
+}
 
 QTEST_MAIN(tst_QTextLayout)
 #include "tst_qtextlayout.moc"
-- 
cgit v1.2.3