Limit value in setFontSizeFromValue()

Avoids overflows in QFreetypeFace::computeSize and QFontEngineBox::boundingBox Fixes oss-fuzz issue 30290 Pick-to: 5.15 6.0 6.1 Change-Id: If8e9ff74bf706a701e26832ad21b3439a3b437f7 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
author: Robert Löhning <robert.loehning@qt.io> 2021-02-26 22:37:32 +0100
committer: Robert Löhning <robert.loehning@qt.io> 2021-03-01 15:42:23 +0000
commit: 976fede67ca4a4d322bc8d2c00266a2e2f1a6e3d (patch)
tree: 12635ba2bbfa880b95c127bbd20ecdce26efca52
parent: e14ccf05534bbc2984b15f7f255adbffc4c7f769 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/src/gui/text/qcssparser.cpp b/src/gui/text/qcssparser.cpp
index 05a5ec4420..46ed67ea7d 100644
--- a/src/gui/text/qcssparser.cpp
+++ b/src/gui/text/qcssparser.cpp
@@ -1143,14 +1143,14 @@ static bool setFontSizeFromValue(QCss::Value value, QFont *font, int *fontSizeAd
         s.chop(2);
         value.variant = s;
         if (value.variant.convert(QMetaType::fromType<qreal>())) {
-            font->setPointSizeF(value.variant.toReal());
+            font->setPointSizeF(qBound(qreal(0), value.variant.toReal(), qreal(1 << 24) - 1));
             valid = true;
         }
     } else if (s.endsWith(QLatin1String("px"), Qt::CaseInsensitive)) {
         s.chop(2);
         value.variant = s;
         if (value.variant.convert(QMetaType::fromType<int>())) {
-            font->setPixelSize(value.variant.toInt());
+            font->setPixelSize(qBound(0, value.variant.toInt(), (1 << 24) - 1));
             valid = true;
         }
     }
author	Robert Löhning <robert.loehning@qt.io>	2021-02-26 22:37:32 +0100
committer	Robert Löhning <robert.loehning@qt.io>	2021-03-01 15:42:23 +0000
commit	976fede67ca4a4d322bc8d2c00266a2e2f1a6e3d (patch)
tree	12635ba2bbfa880b95c127bbd20ecdce26efca52
parent	e14ccf05534bbc2984b15f7f255adbffc4c7f769 (diff)