Avoid overflow in text layout

Fixes oss-fuzz issue 29313.

Change-Id: Idbabd162fa9e0dbce687981bdbcc75be37189a61
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io>
Reviewed-by: Robert Löhning <robert.loehning@qt.io>
(cherry picked from commit bfc09b8d8fa6c1a397aff458c644ed424754adf0)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>

2 files changed, 17 insertions, 0 deletions

diff --git a/src/gui/text/qtextlayout.cpp b/src/gui/text/qtextlayout.cpp
index d303219bb9..b2b87fb92e 100644
--- a/src/gui/text/qtextlayout.cpp
+++ b/src/gui/text/qtextlayout.cpp
@@ -820,6 +820,10 @@ QTextLine QTextLayout::createLine()
     int l = d->lines.size();
     if (l && d->lines.at(l-1).length < 0) {
         QTextLine(l-1, d).setNumColumns(INT_MAX);
+        if (d->maxWidth > QFIXED_MAX / 2) {
+            qWarning("QTextLayout: text too long, truncated.");
+            return QTextLine();
+        }
     }
     int from = l > 0 ? d->lines.at(l-1).from + d->lines.at(l-1).length + d->lines.at(l-1).trailingSpaces : 0;
     int strlen = d->layoutData->string.length();
diff --git a/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp b/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp
index bbb53d85cc..9726db188a 100644
--- a/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp
+++ b/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp
@@ -1896,6 +1896,19 @@ void tst_QTextLayout::longText()
         QVERIFY(line.isValid());
         QVERIFY(line.cursorToX(line.textLength() - 1) > 0);
     }
+
+    {
+        QTextLayout layout(QString("Qt rocks! ").repeated(200000));
+        layout.setCacheEnabled(true);
+        layout.beginLayout();
+        forever {
+            QTextLine line = layout.createLine();
+            if (!line.isValid())
+                break;
+        }
+        layout.endLayout();
+        QVERIFY(layout.maximumWidth() <= QFIXED_MAX);
+    }
 }
 
 void tst_QTextLayout::widthOfTabs()