Fix handling of surrogates in QBidiAlgorithm

Prior code was naively assuming the character after a high surrogate
would necessarily be a low surrogate, which is buggy.
Fixes oss-fuzz issue 29718.

Pick-to: 6.0 6.1 5.15
Change-Id: I10f023c4b5024a0d76fea0a3672001063591ec6d
Reviewed-by: Konstantin Ritt <ritt.ks@gmail.com>
Reviewed-by: Robert Löhning <robert.loehning@qt.io>
Reviewed-by: Lars Knoll <lars.knoll@qt.io>

1 files changed, 2 insertions, 2 deletions

diff --git a/src/gui/text/qtextengine.cpp b/src/gui/text/qtextengine.cpp
index 675e87b322..b31b880693 100644
--- a/src/gui/text/qtextengine.cpp
+++ b/src/gui/text/qtextengine.cpp
@@ -1,6 +1,6 @@
 /****************************************************************************
 **
-** Copyright (C) 2016 The Qt Company Ltd.
+** Copyright (C) 2021 The Qt Company Ltd.
 ** Contact: https://www.qt.io/licensing/
 **
 ** This file is part of the QtGui module of the Qt Toolkit.
@@ -258,7 +258,7 @@ struct QBidiAlgorithm {
         for (int i = 0; i < length; ++i) {
             int pos = i;
             char32_t uc = text[i].unicode();
-            if (QChar::isHighSurrogate(uc) && i < length - 1) {
+            if (QChar::isHighSurrogate(uc) && i < length - 1 && text[i + 1].isLowSurrogate()) {
                 ++i;
                 analysis[i].bidiDirection = QChar::DirNSM;
                 uc = QChar::surrogateToUcs4(ushort(uc), text[i].unicode());