From 248ccb2889aec76cb99c25998534c97b48b98c4a Mon Sep 17 00:00:00 2001 From: Eskil Abrahamsen Blomfeldt Date: Tue, 11 Dec 2012 14:07:16 +0100 Subject: Fix possible crash in QTextDocument With trailing spaces in some cases, we would not get the "no justification at end of paragraph" special case, and continue in the code, getting the unexpected case where line_length becomes < 0 which would lead to memory corruption because we were writing outside our buffers. I added an assert to catch this type of bug earlier, and I added the trailing spaces to the test for the end of the paragraph. The test case added is one example which would crash. Task-number: QTBUG-27354 Change-Id: Id720a6fa55dbc709ce04dd5321e55687bf960d75 Reviewed-by: Lars Knoll --- src/gui/text/qtextengine.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'src/gui/text/qtextengine.cpp') diff --git a/src/gui/text/qtextengine.cpp b/src/gui/text/qtextengine.cpp index 82cff6a043..37d6276f6b 100644 --- a/src/gui/text/qtextengine.cpp +++ b/src/gui/text/qtextengine.cpp @@ -1852,7 +1852,7 @@ void QTextEngine::justify(const QScriptLine &line) itemize(); if (!forceJustification) { - int end = line.from + (int)line.length; + int end = line.from + (int)line.length + line.trailingSpaces; if (end == layoutData->string.length()) return; // no justification at end of paragraph if (end && layoutData->items[findItem(end-1)].analysis.flags == QScriptAnalysis::LineOrParagraphSeparator) @@ -1907,6 +1907,8 @@ void QTextEngine::justify(const QScriptLine &line) int gs = log_clusters[start]; int ge = (end == length(firstItem+i) ? si.num_glyphs : log_clusters[end]); + Q_ASSERT(ge <= si.num_glyphs); + const QGlyphLayout g = shapedGlyphs(&si); for (int i = gs; i < ge; ++i) { -- cgit v1.2.3