From ee2dc9e19dfe8545b8e60a6b394ab9a5a856662f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20L=C3=B6hning?= <robert.loehning@qt.io>
Date: Fri, 26 Feb 2021 22:37:32 +0100
Subject: Limit value in setFontSizeFromValue()

Avoids overflows in QFreetypeFace::computeSize and
QFontEngineBox::boundingBox

Fixes oss-fuzz issue 30290

Change-Id: If8e9ff74bf706a701e26832ad21b3439a3b437f7
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
(cherry picked from commit 976fede67ca4a4d322bc8d2c00266a2e2f1a6e3d)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/gui/text/qcssparser.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/gui')

diff --git a/src/gui/text/qcssparser.cpp b/src/gui/text/qcssparser.cpp
index 9670568792..417587fab0 100644
--- a/src/gui/text/qcssparser.cpp
+++ b/src/gui/text/qcssparser.cpp
@@ -1143,14 +1143,14 @@ static bool setFontSizeFromValue(QCss::Value value, QFont *font, int *fontSizeAd
         s.chop(2);
         value.variant = s;
         if (value.variant.convert(QMetaType::fromType<qreal>())) {
-            font->setPointSizeF(value.variant.toReal());
+            font->setPointSizeF(qBound(qreal(0), value.variant.toReal(), qreal(1 << 24) - 1));
             valid = true;
         }
     } else if (s.endsWith(QLatin1String("px"), Qt::CaseInsensitive)) {
         s.chop(2);
         value.variant = s;
         if (value.variant.convert(QMetaType::fromType<int>())) {
-            font->setPixelSize(value.variant.toInt());
+            font->setPixelSize(qBound(0, value.variant.toInt(), (1 << 24) - 1));
             valid = true;
         }
     }
-- 
cgit v1.2.3