From eb447679456336d387bb69a56c164b06fbe83166 Mon Sep 17 00:00:00 2001
From: Kevin Funk <kfunk@kde.org>
Date: Thu, 28 Aug 2014 15:46:03 +0200
Subject: Fix crash in QTextLayout::cursorToX

When 'cursorPos' is out of bounds ([0, lineEnd]), this method crashed.

Change-Id: Ia0540ab3afbffb5c598f7b8515263cce3b3928e4
Task-number: QTBUG-40753
Reviewed-by: Dominik Haumann <dhaumann@kde.org>
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@digia.com>
Reviewed-by: Konstantin Ritt <ritt.ks@gmail.com>
---
 src/gui/text/qtextlayout.cpp                       |  2 +-
 .../auto/gui/text/qtextlayout/tst_qtextlayout.cpp  | 23 ++++++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/src/gui/text/qtextlayout.cpp b/src/gui/text/qtextlayout.cpp
index 4879ae51d7..8e605e4ae1 100644
--- a/src/gui/text/qtextlayout.cpp
+++ b/src/gui/text/qtextlayout.cpp
@@ -2583,7 +2583,7 @@ qreal QTextLine::cursorToX(int *cursorPos, Edge edge) const
     }
 
     int lineEnd = line.from + line.length + line.trailingSpaces;
-    int pos = *cursorPos;
+    int pos = qBound(0, *cursorPos, lineEnd);
     int itm;
     const QCharAttributes *attributes = eng->attributes();
     if (!attributes) {
diff --git a/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp b/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp
index ec698e5db4..e49d8c3b07 100644
--- a/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp
+++ b/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp
@@ -86,6 +86,7 @@ private slots:
     void cursorToXForSetColumns();
     void cursorToXForTrailingSpaces_data();
     void cursorToXForTrailingSpaces();
+    void cursorToXInvalidInput();
     void horizontalAlignment_data();
     void horizontalAlignment();
     void horizontalAlignmentMultiline_data();
@@ -674,6 +675,28 @@ void tst_QTextLayout::cursorToXForTrailingSpaces()
     QCOMPARE(line.cursorToX(6), cursorAt6);
 }
 
+void tst_QTextLayout::cursorToXInvalidInput()
+{
+    QTextLayout layout("aaa", testFont);
+
+    layout.beginLayout();
+    QTextLine line = layout.createLine();
+    line.setLineWidth(5);
+    layout.endLayout();
+
+    int cursorPos;
+
+    cursorPos = 0;
+    layout.lineAt(0).cursorToX(&cursorPos);
+    QCOMPARE(cursorPos, 0);
+    cursorPos = -300;
+    layout.lineAt(0).cursorToX(&cursorPos);
+    QCOMPARE(cursorPos, 0);
+    cursorPos = 300;
+    layout.lineAt(0).cursorToX(&cursorPos);
+    QCOMPARE(cursorPos, 3);
+}
+
 void tst_QTextLayout::horizontalAlignment_data()
 {
     qreal width = TESTFONT_SIZE * 4;
-- 
cgit v1.2.3