From 9f4f6ae2cbda1d38d16c6ccbce3526069feeeb6e Mon Sep 17 00:00:00 2001 From: Marc Mutz Date: Mon, 18 Jul 2022 15:22:16 +0200 Subject: [PATCH] QTextBoundaryFinder: fix a flawed buffer size calculation There were two problems: 1. The cast to uint truncates the input qsizetype bufferSize mod UINT_MAX, which, if the original value was qsizetype(UINT_MAX) + 1, would yield a false negative check, so remove the cast. 2. The multiplication of the input string size with sizeof(QCharAttributes) looks like it could overflow, esp. on 32-bit platforms. It can't, because sizeof(QCharAttributes) == 1 atm, but the next attribute that's added to the struct will turn that into sizeof 2, so play it safe and use division on the LHS instead of multiplication on the RHS to avoid this arithmetic 101 antipattern. Task-number: QTBUG-103531 Change-Id: Icae3bea1c3cb52a235b8aae181af35c86c3f5d6f Reviewed-by: Thiago Macieira (cherry picked from commit 3e1c6e74967e0c283655f4377a0e72efa551ddb0) Reviewed-by: Qt Cherry-pick Bot --- src/corelib/text/qtextboundaryfinder.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/corelib/text/qtextboundaryfinder.cpp b/src/corelib/text/qtextboundaryfinder.cpp index e387df3f8d5..937f88b2525 100644 --- a/src/corelib/text/qtextboundaryfinder.cpp +++ b/src/corelib/text/qtextboundaryfinder.cpp @@ -213,7 +213,7 @@ QTextBoundaryFinder::QTextBoundaryFinder(BoundaryType type, QStringView string, , attributes(nullptr) { if (!sv.isEmpty()) { - if (buffer && (uint)bufferSize >= (sv.size() + 1) * sizeof(QCharAttributes)) { + if (buffer && bufferSize / int(sizeof(QCharAttributes)) >= sv.size() + 1) { attributes = reinterpret_cast(buffer); freeBuffer = false; } else {