From bfc09b8d8fa6c1a397aff458c644ed424754adf0 Mon Sep 17 00:00:00 2001
From: Eirik Aavitsland <eirik.aavitsland@qt.io>
Date: Tue, 26 Jan 2021 17:29:08 +0100
Subject: Avoid overflow in text layout
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes oss-fuzz issue 29313.

Pick-to: 6.0 5.15
Change-Id: Idbabd162fa9e0dbce687981bdbcc75be37189a61
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io>
Reviewed-by: Robert Löhning <robert.loehning@qt.io>
---
 src/gui/text/qtextlayout.cpp | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'src/gui/text/qtextlayout.cpp')

diff --git a/src/gui/text/qtextlayout.cpp b/src/gui/text/qtextlayout.cpp
index d303219bb9..b2b87fb92e 100644
--- a/src/gui/text/qtextlayout.cpp
+++ b/src/gui/text/qtextlayout.cpp
@@ -820,6 +820,10 @@ QTextLine QTextLayout::createLine()
     int l = d->lines.size();
     if (l && d->lines.at(l-1).length < 0) {
         QTextLine(l-1, d).setNumColumns(INT_MAX);
+        if (d->maxWidth > QFIXED_MAX / 2) {
+            qWarning("QTextLayout: text too long, truncated.");
+            return QTextLine();
+        }
     }
     int from = l > 0 ? d->lines.at(l-1).from + d->lines.at(l-1).length + d->lines.at(l-1).trailingSpaces : 0;
     int strlen = d->layoutData->string.length();
-- 
cgit v1.2.3