diff options
author | Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@digia.com> | 2012-12-11 14:07:16 +0100 |
---|---|---|
committer | The Qt Project <gerrit-noreply@qt-project.org> | 2013-01-03 16:15:37 +0100 |
commit | 248ccb2889aec76cb99c25998534c97b48b98c4a (patch) | |
tree | 245b07bbef790f3f87fdcd7406dfe1efb5f76f59 /src | |
parent | 4319f698c893683c6a031e41272b85cfb25ac931 (diff) |
Fix possible crash in QTextDocument
With trailing spaces in some cases, we would not get the
"no justification at end of paragraph" special case, and continue
in the code, getting the unexpected case where line_length becomes
< 0 which would lead to memory corruption because we were writing
outside our buffers. I added an assert to catch this type of bug
earlier, and I added the trailing spaces to the test for the end
of the paragraph.
The test case added is one example which would crash.
Task-number: QTBUG-27354
Change-Id: Id720a6fa55dbc709ce04dd5321e55687bf960d75
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/gui/text/qtextengine.cpp | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/gui/text/qtextengine.cpp b/src/gui/text/qtextengine.cpp index 82cff6a043..37d6276f6b 100644 --- a/src/gui/text/qtextengine.cpp +++ b/src/gui/text/qtextengine.cpp @@ -1852,7 +1852,7 @@ void QTextEngine::justify(const QScriptLine &line) itemize(); if (!forceJustification) { - int end = line.from + (int)line.length; + int end = line.from + (int)line.length + line.trailingSpaces; if (end == layoutData->string.length()) return; // no justification at end of paragraph if (end && layoutData->items[findItem(end-1)].analysis.flags == QScriptAnalysis::LineOrParagraphSeparator) @@ -1907,6 +1907,8 @@ void QTextEngine::justify(const QScriptLine &line) int gs = log_clusters[start]; int ge = (end == length(firstItem+i) ? si.num_glyphs : log_clusters[end]); + Q_ASSERT(ge <= si.num_glyphs); + const QGlyphLayout g = shapedGlyphs(&si); for (int i = gs; i < ge; ++i) { |