diff options
author | Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io> | 2018-08-07 08:43:09 +0200 |
---|---|---|
committer | Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io> | 2018-08-21 05:05:15 +0000 |
commit | 12a7513a5d19d08d61653e7c802d867525eefc50 (patch) | |
tree | 1a17c2da867713f0c4acdb67170c7426d486239c /src | |
parent | e0c798742adbc984e71c0f65cc432101da5b9c52 (diff) |
Fix potential crash when showing line/paragraph separators
When showing line and paragraph separators at an offset from the start
of the string, the end of string pointer would be incorrectly set, and
we would read past the end of the string. If any part of this memory
happened to match the line or paragraph separator, then we would
overwrite it and have a crash.
I couldn't find any reliable way to test this, since the crash depends on
the contents of the memory after the string allocated by the algorithm.
But with an overflow of 100 000 characters, I found that it crashed every
time I ran the test.
[ChangeLog][QtGui][Text] Fixed potential crash when using
QTextOption::ShowLineAndParagraphSeparators.
Task-number: QTBUG-69661
Change-Id: I17d1996b883560bacdc7ce114c8aeb2b0108faea
Reviewed-by: JiDe Zhang <zccrs@live.com>
Reviewed-by: Michal Lazo <xlazom00@gmail.com>
Reviewed-by: Konstantin Ritt <ritt.ks@gmail.com>
(cherry picked from commit 65a1d41a092e78f7ab142c4c62689e1ca40ba10c)
Diffstat (limited to 'src')
-rw-r--r-- | src/gui/text/qtextengine.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/gui/text/qtextengine.cpp b/src/gui/text/qtextengine.cpp index 4d24fb50af..596294c018 100644 --- a/src/gui/text/qtextengine.cpp +++ b/src/gui/text/qtextengine.cpp @@ -1683,7 +1683,7 @@ void QTextEngine::itemize() const layoutData->string.detach(); string = reinterpret_cast<const ushort *>(layoutData->string.unicode()); uc = string + offset; - e = uc + length; + e = string + length; *const_cast<ushort*>(uc) = 0x21B5; // visual line separator } break; |