Fix possible crash in QTextDocument

With trailing spaces in some cases, we would not get the "no justification at end of paragraph" special case, and continue in the code, getting the unexpected case where line_length becomes < 0 which would lead to memory corruption because we were writing outside our buffers. I added an assert to catch this type of bug earlier, and I added the trailing spaces to the test for the end of the paragraph. The test case added is one example which would crash. Task-number: QTBUG-27354 Change-Id: Id720a6fa55dbc709ce04dd5321e55687bf960d75 Reviewed-by: Lars Knoll <lars.knoll@digia.com>
2012-12-11 14:07:16 +01:00 · 2012-12-11 14:07:16 +01:00 · 248ccb2889
commit 248ccb2889
parent 4319f698c8
2 changed files with 28 additions and 1 deletions
--- a/src/gui/text/qtextengine.cpp
+++ b/src/gui/text/qtextengine.cpp
@ -1852,7 +1852,7 @@ void QTextEngine::justify(const QScriptLine &line)
    itemize();

    if (!forceJustification) {
-        int end = line.from + (int)line.length;
+        int end = line.from + (int)line.length + line.trailingSpaces;
        if (end == layoutData->string.length())
            return; // no justification at end of paragraph
        if (end && layoutData->items[findItem(end-1)].analysis.flags == QScriptAnalysis::LineOrParagraphSeparator)
@ -1907,6 +1907,8 @@ void QTextEngine::justify(const QScriptLine &line)
        int gs = log_clusters[start];
        int ge = (end == length(firstItem+i) ? si.num_glyphs : log_clusters[end]);

+        Q_ASSERT(ge <= si.num_glyphs);
+
        const QGlyphLayout g = shapedGlyphs(&si);

        for (int i = gs; i < ge; ++i) {
--- a/tests/auto/gui/text/qtextdocument/tst_qtextdocument.cpp
+++ b/tests/auto/gui/text/qtextdocument/tst_qtextdocument.cpp
@ -184,6 +184,8 @@ private slots:

    void htmlExportImportBlockCount();

+    void QTBUG27354_spaceAndSoftSpace();
+
 private:
    void backgroundImage_checkExpectedHtml(const QTextDocument &doc);

@ -2900,5 +2902,28 @@ void tst_QTextDocument::htmlExportImportBlockCount()
    QCOMPARE(document.blockCount(), 5);
 }

+void tst_QTextDocument::QTBUG27354_spaceAndSoftSpace()
+{
+    QTextDocument document;
+    {
+        QTextCursor cursor(&document);
+        QTextBlockFormat blockFormat;
+        blockFormat.setAlignment(Qt::AlignJustify);
+        cursor.mergeBlockFormat(blockFormat);
+        cursor.insertText("ac");
+        cursor.insertBlock();
+        cursor.insertText(" ");
+        cursor.insertText(QChar(0x2028));
+    }
+
+    // Trigger justification of text
+    QImage image(1000, 1000, QImage::Format_ARGB32);
+    image.fill(0);
+    {
+        QPainter p(&image);
+        document.drawContents(&p, image.rect());
+    }
+}
+
 QTEST_MAIN(tst_QTextDocument)
 #include "tst_qtextdocument.moc"