diff options
| author | Konstantin Ritt <ritt.ks@gmail.com> | 2014-11-25 15:41:29 +0400 |
|---|---|---|
| committer | Konstantin Ritt <ritt.ks@gmail.com> | 2014-12-24 15:05:24 +0100 |
| commit | e9dbaa328e7d26ad6a7b5fd2490191751a7731b4 (patch) | |
| tree | f4a2b2f62d4388a106e13edefd782adb242adb26 /src/plugins/platforms/windows/qwindowsfontengine.cpp | |
| parent | 5b11e43e9f7551b9cb1ea7a6effdcab4bfa6b8c9 (diff) | |
Fix potential memory access violation issues
LOGFONT docs clearly states `lfFaceName` member is a null-terminated
string of length not longer than LF_FACESIZE, including trailing null.
This patch covers two cases at once:
1. If family name is longer than LF_FACESIZE - 1, it would be truncated
and terminated with null, to prevent memory access beyond
the LOGFONT instance.
2. If family name is a fromRawData QString, we don't assume it is
null-terminated either and guarantee trailing null ourselves.
Change-Id: I8f607efc7d0901537a4179e36cc51df94203f08d
Reviewed-by: Friedemann Kleint <Friedemann.Kleint@theqtcompany.com>
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@theqtcompany.com>
Diffstat (limited to 'src/plugins/platforms/windows/qwindowsfontengine.cpp')
| -rw-r--r-- | src/plugins/platforms/windows/qwindowsfontengine.cpp | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/src/plugins/platforms/windows/qwindowsfontengine.cpp b/src/plugins/platforms/windows/qwindowsfontengine.cpp index a182987e3f..5790360d34 100644 --- a/src/plugins/platforms/windows/qwindowsfontengine.cpp +++ b/src/plugins/platforms/windows/qwindowsfontengine.cpp @@ -1329,13 +1329,18 @@ QFontEngine *QWindowsMultiFontEngine::loadEngine(int at) } const QString fam = fallbackFamilyAt(at - 1); - memcpy(lf.lfFaceName, fam.utf16(), sizeof(wchar_t) * qMin(fam.length() + 1, 32)); // 32 = Windows hard-coded + const int faceNameLength = qMin(fam.length(), LF_FACESIZE - 1); + memcpy(lf.lfFaceName, fam.utf16(), faceNameLength * sizeof(wchar_t)); + lf.lfFaceName[faceNameLength] = 0; #ifndef QT_NO_DIRECTWRITE if (fontEngine->type() == QFontEngine::DirectWrite) { - const QString nameSubstitute = QWindowsFontEngineDirectWrite::fontNameSubstitute(QString::fromWCharArray(lf.lfFaceName)); - memcpy(lf.lfFaceName, nameSubstitute.utf16(), - sizeof(wchar_t) * qMin(nameSubstitute.length() + 1, LF_FACESIZE)); + const QString nameSubstitute = QWindowsFontEngineDirectWrite::fontNameSubstitute(fam); + if (nameSubstitute != fam) { + const int nameSubstituteLength = qMin(nameSubstitute.length(), LF_FACESIZE - 1); + memcpy(lf.lfFaceName, nameSubstitute.utf16(), nameSubstituteLength * sizeof(wchar_t)); + lf.lfFaceName[nameSubstituteLength] = 0; + } IDWriteFont *directWriteFont = 0; HRESULT hr = data->directWriteGdiInterop->CreateFontFromLOGFONT(&lf, &directWriteFont); |