Fix potential memory access violation issues

LOGFONT docs clearly states `lfFaceName` member is a null-terminated string of length not longer than LF_FACESIZE, including trailing null. This patch covers two cases at once: 1. If family name is longer than LF_FACESIZE - 1, it would be truncated and terminated with null, to prevent memory access beyond the LOGFONT instance. 2. If family name is a fromRawData QString, we don't assume it is null-terminated either and guarantee trailing null ourselves. Change-Id: I8f607efc7d0901537a4179e36cc51df94203f08d Reviewed-by: Friedemann Kleint <Friedemann.Kleint@theqtcompany.com> Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@theqtcompany.com>
author: Konstantin Ritt <ritt.ks@gmail.com> 2014-11-25 15:41:29 +0400
committer: Konstantin Ritt <ritt.ks@gmail.com> 2014-12-24 15:05:24 +0100
commit: e9dbaa328e7d26ad6a7b5fd2490191751a7731b4 (patch)
tree: f4a2b2f62d4388a106e13edefd782adb242adb26 /src/plugins/platforms/windows/qwindowsfontdatabase_ft.cpp
parent: 5b11e43e9f7551b9cb1ea7a6effdcab4bfa6b8c9 (diff)
1 files changed, 5 insertions, 9 deletions
diff --git a/src/plugins/platforms/windows/qwindowsfontdatabase_ft.cpp b/src/plugins/platforms/windows/qwindowsfontdatabase_ft.cpp
index 41e767dd1b..a2d9c3e75b 100644
--- a/src/plugins/platforms/windows/qwindowsfontdatabase_ft.cpp
+++ b/src/plugins/platforms/windows/qwindowsfontdatabase_ft.cpp
@@ -369,14 +369,9 @@ static int QT_WIN_CALLBACK storeFontSub(ENUMLOGFONTEX* f, NEWTEXTMETRICEX *textm
 
     HDC dummy = GetDC(0);
     LOGFONT lf;
+    memset(&lf, 0, sizeof(LOGFONT));
     lf.lfCharSet = DEFAULT_CHARSET;
-    if (wcslen(f->elfLogFont.lfFaceName) >= LF_FACESIZE) {
-        qWarning("%s: Unable to enumerate family '%s'.",
-                 __FUNCTION__, qPrintable(QString::fromWCharArray(f->elfLogFont.lfFaceName)));
-        return 1;
-    }
-    wmemcpy(lf.lfFaceName, f->elfLogFont.lfFaceName,
-            wcslen(f->elfLogFont.lfFaceName) + 1);
+    memcpy(lf.lfFaceName, f->elfLogFont.lfFaceName, LF_FACESIZE * sizeof(wchar_t));
     lf.lfPitchAndFamily = 0;
     EnumFontFamiliesEx(dummy, &lf, (FONTENUMPROC)storeFont,
                        (LPARAM)namesSetIn, 0);
@@ -411,20 +406,21 @@ void QWindowsFontDatabaseFT::populate(const QString &family)
 
     HDC dummy = GetDC(0);
     LOGFONT lf;
+    memset(&lf, 0, sizeof(LOGFONT));
     lf.lfCharSet = DEFAULT_CHARSET;
     if (family.size() >= LF_FACESIZE) {
         qWarning("%s: Unable to enumerate family '%s'.",
                  __FUNCTION__, qPrintable(family));
         return;
     }
-    wmemcpy(lf.lfFaceName, reinterpret_cast<const wchar_t*>(family.utf16()),
-            family.size() + 1);
+
     lf.lfPitchAndFamily = 0;
 
     if (family.isEmpty()) {
         EnumFontFamiliesEx(dummy, &lf, (FONTENUMPROC)storeFontSub,
                            (LPARAM)&m_families, 0);
     } else {
+        memcpy(lf.lfFaceName, family.utf16(), family.size() * sizeof(wchar_t));
         EnumFontFamiliesEx(dummy, &lf, (FONTENUMPROC)storeFont,
                            (LPARAM)&m_families, 0);
     }
author	Konstantin Ritt <ritt.ks@gmail.com>	2014-11-25 15:41:29 +0400
committer	Konstantin Ritt <ritt.ks@gmail.com>	2014-12-24 15:05:24 +0100
commit	e9dbaa328e7d26ad6a7b5fd2490191751a7731b4 (patch)
tree	f4a2b2f62d4388a106e13edefd782adb242adb26 /src/plugins/platforms/windows/qwindowsfontdatabase_ft.cpp
parent	5b11e43e9f7551b9cb1ea7a6effdcab4bfa6b8c9 (diff)