From 1a07e7899261c044a5325ca21dd20c9c7be3e6ef Mon Sep 17 00:00:00 2001
From: Eirik Aavitsland <eirik.aavitsland@qt.io>
Date: Thu, 21 Jan 2021 09:55:00 +0100
Subject: [PATCH] Gracefully reject requests for absurd font sizes

Avoid overflows.

Fixes: QTBUG-89899
Change-Id: Ic1a83c1704fe20be3d032358dc91ee8e751f2281
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io>
(cherry picked from commit 679750684087cad7a48921c4174a53cdf4855049)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/gui/text/qfontdatabase.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/gui/text/qfontdatabase.cpp b/src/gui/text/qfontdatabase.cpp
index 13cde04ff41..cf2573c9848 100644
--- a/src/gui/text/qfontdatabase.cpp
+++ b/src/gui/text/qfontdatabase.cpp
@@ -2386,6 +2386,12 @@ QFontEngine *QFontDatabasePrivate::findFont(const QFontDef &request, int script)
         return engine;
     }
 
+    if (request.pixelSize > 0xffff) {
+        // Stop absurd requests reaching the engines; pixel size is assumed to fit ushort
+        qCDebug(lcFontMatch, "Rejecting request for pixel size %g2, returning box engine", double(request.pixelSize));
+        return new QFontEngineBox(32); // not request.pixelSize, to avoid overflow/DOS
+    }
+
     QString family_name, foundry_name;
     const QString requestFamily = request.families.size() > 0 ? request.families.at(0) : request.family;
     parseFontName(requestFamily, foundry_name, family_name);