Fix crash when text contains too many directional chars

In case a text to be layouted contains more than 128 directional characters it causes the application to crash The function initScriptAnalysisAndIsolatePairs() collects information of RTL/LTR chaaracters into vector "isolatePairs". The size of the vector is capped to 128. Later the function generateDirectionalRuns() iterates the text again and tries to access items from the previously capped vector above the upper bound. Task-number: QTBUG-77819 Change-Id: Ibb7bf12c12b1db22f43ff46236518da3fdeed26a Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
author: Rainer Keller <Rainer.Keller@qt.io> 2019-08-27 14:44:48 +0200
committer: Rainer Keller <Rainer.Keller@qt.io> 2019-08-30 21:17:32 +0200
commit: 1232205e32464d90e871f39eb1e14fcf9b78a163 (patch)
tree: cac9678f45d7e9a9c7cca0da561429d037bdc6c7 /src
parent: b2df41b5a8649ea3f7c9cc2e23f6c5a06a1e4ea7 (diff)
1 files changed, 7 insertions, 8 deletions
diff --git a/src/gui/text/qtextengine.cpp b/src/gui/text/qtextengine.cpp
index 2da13289bf..a7834587b1 100644
--- a/src/gui/text/qtextengine.cpp
+++ b/src/gui/text/qtextengine.cpp
@@ -399,6 +399,7 @@ struct QBidiAlgorithm {
                         analysis[i].bidiDirection = (level & 1) ? QChar::DirR : QChar::DirL;
                     runHasContent = true;
                     lastRunWithContent = -1;
+                    ++isolatePairPosition;
                 }
                 int runBeforeIsolate = runs.size();
                 ushort newLevel = isRtl ? ((stack.top().level + 1) | 1) : ((stack.top().level + 2) & ~1);
@@ -440,21 +441,19 @@ struct QBidiAlgorithm {
                 doEmbed(true, true, false);
                 break;
             case QChar::DirLRI:
-                Q_ASSERT(isolatePairs.at(isolatePairPosition).start == i);
                 doEmbed(false, false, true);
-                ++isolatePairPosition;
                 break;
             case QChar::DirRLI:
-                Q_ASSERT(isolatePairs.at(isolatePairPosition).start == i);
                 doEmbed(true, false, true);
-                ++isolatePairPosition;
                 break;
             case QChar::DirFSI: {
-                const auto &pair = isolatePairs.at(isolatePairPosition);
-                Q_ASSERT(pair.start == i);
-                bool isRtl = QStringView(text + pair.start + 1, pair.end - pair.start - 1).isRightToLeft();
+                bool isRtl = false;
+                if (isolatePairPosition < isolatePairs.size()) {
+                    const auto &pair = isolatePairs.at(isolatePairPosition);
+                    Q_ASSERT(pair.start == i);
+                    isRtl = QStringView(text + pair.start + 1, pair.end - pair.start - 1).isRightToLeft();
+                }
                 doEmbed(isRtl, false, true);
-                ++isolatePairPosition;
                 break;
             }
author	Rainer Keller <Rainer.Keller@qt.io>	2019-08-27 14:44:48 +0200
committer	Rainer Keller <Rainer.Keller@qt.io>	2019-08-30 21:17:32 +0200
commit	1232205e32464d90e871f39eb1e14fcf9b78a163 (patch)
tree	cac9678f45d7e9a9c7cca0da561429d037bdc6c7 /src
parent	b2df41b5a8649ea3f7c9cc2e23f6c5a06a1e4ea7 (diff)