From e9dbaa328e7d26ad6a7b5fd2490191751a7731b4 Mon Sep 17 00:00:00 2001
From: Konstantin Ritt <ritt.ks@gmail.com>
Date: Tue, 25 Nov 2014 15:41:29 +0400
Subject: Fix potential memory access violation issues

LOGFONT docs clearly states `lfFaceName` member is a null-terminated
string of length not longer than LF_FACESIZE, including trailing null.

This patch covers two cases at once:
1. If family name is longer than LF_FACESIZE - 1, it would be truncated
   and terminated with null, to prevent memory access beyond
   the LOGFONT instance.
2. If family name is a fromRawData QString, we don't assume it is
   null-terminated either and guarantee trailing null ourselves.

Change-Id: I8f607efc7d0901537a4179e36cc51df94203f08d
Reviewed-by: Friedemann Kleint <Friedemann.Kleint@theqtcompany.com>
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@theqtcompany.com>
---
 src/plugins/platforms/direct2d/qwindowsdirect2dpaintengine.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'src/plugins/platforms/direct2d')

diff --git a/src/plugins/platforms/direct2d/qwindowsdirect2dpaintengine.cpp b/src/plugins/platforms/direct2d/qwindowsdirect2dpaintengine.cpp
index a86bb0ee04..8c70f70edd 100644
--- a/src/plugins/platforms/direct2d/qwindowsdirect2dpaintengine.cpp
+++ b/src/plugins/platforms/direct2d/qwindowsdirect2dpaintengine.cpp
@@ -923,7 +923,11 @@ public:
         static const char keyC[] = "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes";
         const QString familyName = QString::fromWCharArray(lf.lfFaceName);
         const QString nameSubstitute = QSettings(QLatin1String(keyC), QSettings::NativeFormat).value(familyName, familyName).toString();
-        memcpy(lf.lfFaceName, nameSubstitute.utf16(), sizeof(wchar_t) * qMin(nameSubstitute.length() + 1, LF_FACESIZE));
+        if (nameSubstitute != familyName) {
+            const int nameSubstituteLength = qMin(nameSubstitute.length(), LF_FACESIZE - 1);
+            memcpy(lf.lfFaceName, nameSubstitute.utf16(), nameSubstituteLength * sizeof(wchar_t));
+            lf.lfFaceName[nameSubstituteLength] = 0;
+        }
 
         ComPtr<IDWriteFont> dwriteFont;
         HRESULT hr = QWindowsDirect2DContext::instance()->dwriteGdiInterop()->CreateFontFromLOGFONT(&lf, &dwriteFont);
-- 
cgit v1.2.3