QTextBoundaryFinder: fix a flawed buffer size calculation

There were two problems: 1. The cast to uint truncates the input qsizetype bufferSize mod UINT_MAX, which, if the original value was qsizetype(UINT_MAX) + 1, would yield a false negative check, so remove the cast. 2. The multiplication of the input string size with sizeof(QCharAttributes) looks like it could overflow, esp. on 32-bit platforms. It can't, because sizeof(QCharAttributes) == 1 atm, but the next attribute that's added to the struct will turn that into sizeof 2, so play it safe and use division on the LHS instead of multiplication on the RHS to avoid this arithmetic 101 antipattern. Task-number: QTBUG-103531 Change-Id: Icae3bea1c3cb52a235b8aae181af35c86c3f5d6f Reviewed-by: Thiago Macieira <thiago.macieira@intel.com> (cherry picked from commit 3e1c6e74967e0c283655f4377a0e72efa551ddb0) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
2022-07-18 15:22:16 +02:00 · 2022-07-18 15:22:16 +02:00 · 9f4f6ae2cb
commit 9f4f6ae2cb
parent 7ad965b145
1 changed files with 1 additions and 1 deletions
--- a/src/corelib/text/qtextboundaryfinder.cpp
+++ b/src/corelib/text/qtextboundaryfinder.cpp
@ -213,7 +213,7 @@ QTextBoundaryFinder::QTextBoundaryFinder(BoundaryType type, QStringView string,
    , attributes(nullptr)
 {
    if (!sv.isEmpty()) {
-        if (buffer && (uint)bufferSize >= (sv.size() + 1) * sizeof(QCharAttributes)) {
+        if (buffer && bufferSize / int(sizeof(QCharAttributes)) >= sv.size() + 1) {
            attributes = reinterpret_cast<QCharAttributes *>(buffer);
            freeBuffer = false;
        } else {