Fix crash when text contains too many directional chars

In case a text to be layouted contains more than 128 directional characters it causes the application to crash The function initScriptAnalysisAndIsolatePairs() collects information of RTL/LTR chaaracters into vector "isolatePairs". The size of the vector is capped to 128. Later the function generateDirectionalRuns() iterates the text again and tries to access items from the previously capped vector above the upper bound. Task-number: QTBUG-77819 Change-Id: Ibb7bf12c12b1db22f43ff46236518da3fdeed26a Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
2019-08-27 14:44:48 +02:00 · 2019-08-27 14:44:48 +02:00 · 1232205e32
commit 1232205e32
parent b2df41b5a8
2 changed files with 24 additions and 8 deletions
--- a/src/gui/text/qtextengine.cpp
+++ b/src/gui/text/qtextengine.cpp
@ -399,6 +399,7 @@ struct QBidiAlgorithm {
                        analysis[i].bidiDirection = (level & 1) ? QChar::DirR : QChar::DirL;
                    runHasContent = true;
                    lastRunWithContent = -1;
+                    ++isolatePairPosition;
                }
                int runBeforeIsolate = runs.size();
                ushort newLevel = isRtl ? ((stack.top().level + 1) | 1) : ((stack.top().level + 2) & ~1);
@ -440,21 +441,19 @@ struct QBidiAlgorithm {
                doEmbed(true, true, false);
                break;
            case QChar::DirLRI:
-                Q_ASSERT(isolatePairs.at(isolatePairPosition).start == i);
                doEmbed(false, false, true);
-                ++isolatePairPosition;
                break;
            case QChar::DirRLI:
-                Q_ASSERT(isolatePairs.at(isolatePairPosition).start == i);
                doEmbed(true, false, true);
-                ++isolatePairPosition;
                break;
            case QChar::DirFSI: {
-                const auto &pair = isolatePairs.at(isolatePairPosition);
-                Q_ASSERT(pair.start == i);
-                bool isRtl = QStringView(text + pair.start + 1, pair.end - pair.start - 1).isRightToLeft();
+                bool isRtl = false;
+                if (isolatePairPosition < isolatePairs.size()) {
+                    const auto &pair = isolatePairs.at(isolatePairPosition);
+                    Q_ASSERT(pair.start == i);
+                    isRtl = QStringView(text + pair.start + 1, pair.end - pair.start - 1).isRightToLeft();
+                }
                doEmbed(isRtl, false, true);
-                ++isolatePairPosition;
                break;
            }

--- a/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp
+++ b/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp
@ -138,6 +138,7 @@ private slots:
    void noModificationOfInputString();
    void superscriptCrash_qtbug53911();
    void showLineAndParagraphSeparatorsCrash();
+    void tooManyDirectionalCharctersCrash_qtbug77819();

 private:
    QFont testFont;
@ -2309,5 +2310,21 @@ void tst_QTextLayout::nbspWithFormat()
    QCOMPARE(layout.lineAt(1).textLength(), s2.length() + 1 + s3.length());
 }

+void tst_QTextLayout::tooManyDirectionalCharctersCrash_qtbug77819()
+{
+    QString data;
+    data += QString::fromUtf8("\xe2\x81\xa8"); // U+2068 FSI character
+    data += QString::fromUtf8("\xe2\x81\xa7"); // U+2067 RLI character
+
+    // duplicating the text
+    for (int i = 0; i < 10; i++)
+        data += data;
+
+    // Nothing to test. It must not crash in beginLayout().
+    QTextLayout tl(data);
+    tl.beginLayout();
+    tl.endLayout();
+}
+
 QTEST_MAIN(tst_QTextLayout)
 #include "tst_qtextlayout.moc"