diff options
author | Konstantin Ritt <ritt.ks@gmail.com> | 2013-08-15 09:13:55 +0300 |
---|---|---|
committer | The Qt Project <gerrit-noreply@qt-project.org> | 2013-08-15 20:47:38 +0200 |
commit | a15b56b0c1eae0d368c16be2d81bba11cb1faee7 (patch) | |
tree | dccc19cab861b6f99ce55b0172a103c56e0bec91 /src/gui/text | |
parent | 751989df5cc441dcffbbbe2da0c3c0558701d5c6 (diff) |
Fix possible crash due to integer overflow
QFontEngineMulti::stringToCMap() stores the fallback engine index
in a glyph index'es high byte, which means the maximum fallback engine index
it can store is 255, so limit the number of tries we're doing to this value.
Otherwise we could end up with `fontEngineMulti->engine(glyph >> 24) == 0`
after successful stringToCMap() call.
Task-number: QTBUG-30412
Change-Id: I06907a39186fd207f3ce4b732a1a54e615744082
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
Diffstat (limited to 'src/gui/text')
-rw-r--r-- | src/gui/text/qfontengine.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/gui/text/qfontengine.cpp b/src/gui/text/qfontengine.cpp index b58a1c98ec..6a6e67abb0 100644 --- a/src/gui/text/qfontengine.cpp +++ b/src/gui/text/qfontengine.cpp @@ -1444,7 +1444,7 @@ bool QFontEngineMulti::stringToCMap(const QChar *str, int len, tmpAdvance.x = glyphs->advances_x[glyph_pos]; tmpAdvance.y = glyphs->advances_y[glyph_pos]; } - for (int x=1; x < engines.size(); ++x) { + for (int x = 1, n = qMin(engines.size(), 256); x < n; ++x) { if (engines.at(x) == 0 && !shouldLoadFontEngineForCharacter(x, ucs4)) continue; |