diff options
| author | Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io> | 2018-08-07 08:43:09 +0200 |
|---|---|---|
| committer | Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io> | 2018-08-09 12:46:22 +0000 |
| commit | 65a1d41a092e78f7ab142c4c62689e1ca40ba10c (patch) | |
| tree | 98d97b912ca09e226272a0d447b4b359e69cb231 | |
| parent | 04671a80db32bd7fce470c50934cf60f2e8ffa70 (diff) | |
Fix potential crash when showing line/paragraph separators
When showing line and paragraph separators at an offset from the start
of the string, the end of string pointer would be incorrectly set, and
we would read past the end of the string. If any part of this memory
happened to match the line or paragraph separator, then we would
overwrite it and have a crash.
I couldn't find any reliable way to test this, since the crash depends on
the contents of the memory after the string allocated by the algorithm.
But with an overflow of 100 000 characters, I found that it crashed every
time I ran the test.
[ChangeLog][QtGui][Text] Fixed potential crash when using
QTextOption::ShowLineAndParagraphSeparators.
Task-number: QTBUG-69661
Change-Id: I17d1996b883560bacdc7ce114c8aeb2b0108faea
Reviewed-by: JiDe Zhang <zccrs@live.com>
Reviewed-by: Michal Lazo <xlazom00@gmail.com>
Reviewed-by: Konstantin Ritt <ritt.ks@gmail.com>
| -rw-r--r-- | src/gui/text/qtextengine.cpp | 2 | ||||
| -rw-r--r-- | tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp | 18 |
2 files changed, 19 insertions, 1 deletions
diff --git a/src/gui/text/qtextengine.cpp b/src/gui/text/qtextengine.cpp index 5e38311fa1..6751c077ac 100644 --- a/src/gui/text/qtextengine.cpp +++ b/src/gui/text/qtextengine.cpp @@ -2053,7 +2053,7 @@ void QTextEngine::itemize() const layoutData->string.detach(); string = reinterpret_cast<const ushort *>(layoutData->string.unicode()); uc = string + offset; - e = uc + length; + e = string + length; *const_cast<ushort*>(uc) = 0x21B5; // visual line separator } break; diff --git a/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp b/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp index 4e3d1da8fe..9c477589f9 100644 --- a/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp +++ b/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp @@ -137,6 +137,7 @@ private slots: void nbspWithFormat(); void noModificationOfInputString(); void superscriptCrash_qtbug53911(); + void showLineAndParagraphSeparatorsCrash(); private: QFont testFont; @@ -2199,6 +2200,23 @@ void tst_QTextLayout::noModificationOfInputString() } } +void tst_QTextLayout::showLineAndParagraphSeparatorsCrash() +{ + QString s = QString(100000, QChar('a')) + QChar(QChar::LineSeparator); + { + QTextLayout layout; + layout.setText(s); + + QTextOption option; + option.setFlags(QTextOption::ShowLineAndParagraphSeparators); + layout.setTextOption(option); + + layout.beginLayout(); + layout.createLine(); + layout.endLayout(); + } +} + void tst_QTextLayout::superscriptCrash_qtbug53911() { static int fontSizes = 64; |