From 073fae097ce40bee1532c252a8c696840b5dfc16 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20L=C3=B6hning?= <robert.loehning@qt.io>
Date: Fri, 25 Oct 2024 15:45:51 +0200
Subject: [PATCH] QFontEngine: Escape values too large for QFixed

Change-Id: I9d21d784ca13f31f4237c1517016a69cf5df4ca4
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io>
---
 src/gui/text/qfontengine.cpp | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/gui/text/qfontengine.cpp b/src/gui/text/qfontengine.cpp
index a2ad2469688..83dab350249 100644
--- a/src/gui/text/qfontengine.cpp
+++ b/src/gui/text/qfontengine.cpp
@@ -396,6 +396,10 @@ bool QFontEngine::processHheaTable() const
             return false;
 
         QFixed unitsPerEm = emSquareSize();
+        // Bail out if values are too large for QFixed
+        const auto limitForQFixed = std::numeric_limits<int>::max() / (fontDef.pixelSize * 64);
+        if (ascent > limitForQFixed || descent > limitForQFixed || leading > limitForQFixed)
+            return false;
         m_ascent = QFixed::fromReal(ascent * fontDef.pixelSize) / unitsPerEm;
         m_descent = -QFixed::fromReal(descent * fontDef.pixelSize) / unitsPerEm;
 
@@ -453,6 +457,11 @@ bool QFontEngine::processOS2Table() const
             // Some fonts may have invalid OS/2 data. We detect this and bail out.
             if (typoAscent == 0 && typoDescent == 0)
                 return false;
+            // Bail out if values are too large for QFixed
+            const auto limitForQFixed = std::numeric_limits<int>::max() / (fontDef.pixelSize * 64);
+            if (typoAscent > limitForQFixed || typoDescent > limitForQFixed
+                    || typoLineGap > limitForQFixed)
+                return false;
             m_ascent = QFixed::fromReal(typoAscent * fontDef.pixelSize) / unitsPerEm;
             m_descent = -QFixed::fromReal(typoDescent * fontDef.pixelSize) / unitsPerEm;
             m_leading = QFixed::fromReal(typoLineGap * fontDef.pixelSize) / unitsPerEm;