From b72107903268c4b83cb0e74ef7300a3b84069b52 Mon Sep 17 00:00:00 2001
From: Paul Olav Tvete <paul.tvete@qt.io>
Date: Wed, 5 May 2021 11:32:51 +0200
Subject: [PATCH] Fix rare integer overflow in text shaping

With extreme painter scaling, linearAdvance may be too large to fit in
an unsigned short.

Fixes: QTBUG-91758
Change-Id: I7bbe6e77ec9bcef4aa5259da1d3000ed1a8eb27a
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io>
(cherry picked from commit e2bdff3555f8c2a275c7bbcf964d939a5f489100)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/gui/text/freetype/qfontengine_ft.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/gui/text/freetype/qfontengine_ft.cpp b/src/gui/text/freetype/qfontengine_ft.cpp
index 280498f98d6..ae1e139251e 100644
--- a/src/gui/text/freetype/qfontengine_ft.cpp
+++ b/src/gui/text/freetype/qfontengine_ft.cpp
@@ -1051,7 +1051,8 @@ QFontEngineFT::Glyph *QFontEngineFT::loadGlyph(QGlyphSet *set, uint glyph,
         info.height = TRUNC(top - bottom);
 
         // If any of the metrics are too large to fit, don't cache them
-        if (areMetricsTooLarge(info))
+        // Also, avoid integer overflow when linearAdvance is to large to fit in a signed short
+        if (areMetricsTooLarge(info) || info.linearAdvance > 0x7FFF)
             return nullptr;
 
         g = new Glyph;