Avoid overflow in text layout

Fixes oss-fuzz issue 29313. Change-Id: Idbabd162fa9e0dbce687981bdbcc75be37189a61 Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io> Reviewed-by: Robert Löhning <robert.loehning@qt.io> (cherry picked from commit bfc09b8d8fa6c1a397aff458c644ed424754adf0) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
2021-01-26 17:29:08 +01:00 · 2021-01-26 17:29:08 +01:00 · 69e0205bcb
commit 69e0205bcb
parent 3fec6597a5
2 changed files with 17 additions and 0 deletions
--- a/src/gui/text/qtextlayout.cpp
+++ b/src/gui/text/qtextlayout.cpp
@ -820,6 +820,10 @@ QTextLine QTextLayout::createLine()
    int l = d->lines.size();
    if (l && d->lines.at(l-1).length < 0) {
        QTextLine(l-1, d).setNumColumns(INT_MAX);
+        if (d->maxWidth > QFIXED_MAX / 2) {
+            qWarning("QTextLayout: text too long, truncated.");
+            return QTextLine();
+        }
    }
    int from = l > 0 ? d->lines.at(l-1).from + d->lines.at(l-1).length + d->lines.at(l-1).trailingSpaces : 0;
    int strlen = d->layoutData->string.length();
--- a/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp
+++ b/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp
@ -1896,6 +1896,19 @@ void tst_QTextLayout::longText()
        QVERIFY(line.isValid());
        QVERIFY(line.cursorToX(line.textLength() - 1) > 0);
    }
+
+    {
+        QTextLayout layout(QString("Qt rocks! ").repeated(200000));
+        layout.setCacheEnabled(true);
+        layout.beginLayout();
+        forever {
+            QTextLine line = layout.createLine();
+            if (!line.isValid())
+                break;
+        }
+        layout.endLayout();
+        QVERIFY(layout.maximumWidth() <= QFIXED_MAX);
+    }
 }

 void tst_QTextLayout::widthOfTabs()