From 46804956cbe3cd5ddfb0528ae7d9fa35a031d6d3 Mon Sep 17 00:00:00 2001
From: John Preston <johnprestonmail@gmail.com>
Date: Mon, 2 May 2016 16:01:06 +0300
Subject: Fix possible crash in calculateRightBearingForPreviousGlyph().

LineBreakHelper saves previousGlyph for calculating right bearing of
this glyph when it is needed. But between the saving of this glyph and
the calculation the fontEngine can change (if we move to the different
item). So we need to save the fontEngine together with the glyph and
use this saved fontEngine for the saved glyph, while still using the
current fontEngine for calculating right bearing of the current glyph.

[ChangeLog][QtGui][QTextLine] Fixed a possible UB in the calculation
of glyph right bearing when a QTextLine layout is performed.

Change-Id: I14c729a1f761a45eaba85754c0b15a27faff7458
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io>
---
 src/gui/text/qtextlayout.cpp | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/gui/text/qtextlayout.cpp b/src/gui/text/qtextlayout.cpp
index f5827bb683..adaac11517 100644
--- a/src/gui/text/qtextlayout.cpp
+++ b/src/gui/text/qtextlayout.cpp
@@ -1654,6 +1654,7 @@ namespace {
         int maxGlyphs;
         int currentPosition;
         glyph_t previousGlyph;
+        QFontEngine *previousGlyphFontEngine;
 
         QFixed minw;
         QFixed softHyphenWidth;
@@ -1687,13 +1688,14 @@ namespace {
             if (currentPosition > 0 &&
                 logClusters[currentPosition - 1] < glyphs.numGlyphs) {
                 previousGlyph = currentGlyph(); // needed to calculate right bearing later
+                previousGlyphFontEngine = fontEngine;
             }
         }
 
-        inline void calculateRightBearing(glyph_t glyph)
+        inline void calculateRightBearing(QFontEngine *engine, glyph_t glyph)
         {
             qreal rb;
-            fontEngine->getGlyphBearings(glyph, 0, &rb);
+            engine->getGlyphBearings(glyph, 0, &rb);
 
             // We only care about negative right bearings, so we limit the range
             // of the bearing here so that we can assume it's negative in the rest
@@ -1706,13 +1708,13 @@ namespace {
         {
             if (currentPosition <= 0)
                 return;
-            calculateRightBearing(currentGlyph());
+            calculateRightBearing(fontEngine, currentGlyph());
         }
 
         inline void calculateRightBearingForPreviousGlyph()
         {
             if (previousGlyph > 0)
-                calculateRightBearing(previousGlyph);
+                calculateRightBearing(previousGlyphFontEngine, previousGlyph);
         }
 
         static const QFixed RightBearingNotCalculated;
-- 
cgit v1.2.3