Fix potential memory access violation issues

LOGFONT docs clearly states `lfFaceName` member is a null-terminated
string of length not longer than LF_FACESIZE, including trailing null.

This patch covers two cases at once:
1. If family name is longer than LF_FACESIZE - 1, it would be truncated
   and terminated with null, to prevent memory access beyond
   the LOGFONT instance.
2. If family name is a fromRawData QString, we don't assume it is
   null-terminated either and guarantee trailing null ourselves.

Change-Id: I8f607efc7d0901537a4179e36cc51df94203f08d
Reviewed-by: Friedemann Kleint <Friedemann.Kleint@theqtcompany.com>
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@theqtcompany.com>

1 files changed, 5 insertions, 1 deletions

diff --git a/src/plugins/platforms/direct2d/qwindowsdirect2dpaintengine.cpp b/src/plugins/platforms/direct2d/qwindowsdirect2dpaintengine.cpp
index a86bb0ee04..8c70f70edd 100644
--- a/src/plugins/platforms/direct2d/qwindowsdirect2dpaintengine.cpp
+++ b/src/plugins/platforms/direct2d/qwindowsdirect2dpaintengine.cpp
@@ -923,7 +923,11 @@ public:
         static const char keyC[] = "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes";
         const QString familyName = QString::fromWCharArray(lf.lfFaceName);
         const QString nameSubstitute = QSettings(QLatin1String(keyC), QSettings::NativeFormat).value(familyName, familyName).toString();
-        memcpy(lf.lfFaceName, nameSubstitute.utf16(), sizeof(wchar_t) * qMin(nameSubstitute.length() + 1, LF_FACESIZE));
+        if (nameSubstitute != familyName) {
+            const int nameSubstituteLength = qMin(nameSubstitute.length(), LF_FACESIZE - 1);
+            memcpy(lf.lfFaceName, nameSubstitute.utf16(), nameSubstituteLength * sizeof(wchar_t));
+            lf.lfFaceName[nameSubstituteLength] = 0;
+        }
 
         ComPtr<IDWriteFont> dwriteFont;
         HRESULT hr = QWindowsDirect2DContext::instance()->dwriteGdiInterop()->CreateFontFromLOGFONT(&lf, &dwriteFont);