diff options
Diffstat (limited to 'dev-qt/qtcore/files/qtcore-5.12.3-CVE-2019-18281.patch')
-rw-r--r-- | dev-qt/qtcore/files/qtcore-5.12.3-CVE-2019-18281.patch | 98 |
1 files changed, 0 insertions, 98 deletions
diff --git a/dev-qt/qtcore/files/qtcore-5.12.3-CVE-2019-18281.patch b/dev-qt/qtcore/files/qtcore-5.12.3-CVE-2019-18281.patch deleted file mode 100644 index 055794b51964..000000000000 --- a/dev-qt/qtcore/files/qtcore-5.12.3-CVE-2019-18281.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 1232205e32464d90e871f39eb1e14fcf9b78a163 Mon Sep 17 00:00:00 2001 -From: Rainer Keller <Rainer.Keller@qt.io> -Date: Tue, 27 Aug 2019 14:44:48 +0200 -Subject: [PATCH] Fix crash when text contains too many directional chars - -In case a text to be layouted contains more than 128 directional characters -it causes the application to crash - -The function initScriptAnalysisAndIsolatePairs() collects information of -RTL/LTR chaaracters into vector "isolatePairs". The size of the vector is -capped to 128. Later the function generateDirectionalRuns() iterates -the text again and tries to access items from the previously capped vector -above the upper bound. - -Task-number: QTBUG-77819 -Change-Id: Ibb7bf12c12b1db22f43ff46236518da3fdeed26a -Reviewed-by: Simon Hausmann <simon.hausmann@qt.io> ---- - src/gui/text/qtextengine.cpp | 15 +++++++-------- - tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp | 17 +++++++++++++++++ - 2 files changed, 24 insertions(+), 8 deletions(-) - -diff --git a/src/gui/text/qtextengine.cpp b/src/gui/text/qtextengine.cpp -index 2da13289bfd..a7834587b1e 100644 ---- a/src/gui/text/qtextengine.cpp -+++ b/src/gui/text/qtextengine.cpp -@@ -399,6 +399,7 @@ struct QBidiAlgorithm { - analysis[i].bidiDirection = (level & 1) ? QChar::DirR : QChar::DirL; - runHasContent = true; - lastRunWithContent = -1; -+ ++isolatePairPosition; - } - int runBeforeIsolate = runs.size(); - ushort newLevel = isRtl ? ((stack.top().level + 1) | 1) : ((stack.top().level + 2) & ~1); -@@ -440,21 +441,19 @@ struct QBidiAlgorithm { - doEmbed(true, true, false); - break; - case QChar::DirLRI: -- Q_ASSERT(isolatePairs.at(isolatePairPosition).start == i); - doEmbed(false, false, true); -- ++isolatePairPosition; - break; - case QChar::DirRLI: -- Q_ASSERT(isolatePairs.at(isolatePairPosition).start == i); - doEmbed(true, false, true); -- ++isolatePairPosition; - break; - case QChar::DirFSI: { -- const auto &pair = isolatePairs.at(isolatePairPosition); -- Q_ASSERT(pair.start == i); -- bool isRtl = QStringView(text + pair.start + 1, pair.end - pair.start - 1).isRightToLeft(); -+ bool isRtl = false; -+ if (isolatePairPosition < isolatePairs.size()) { -+ const auto &pair = isolatePairs.at(isolatePairPosition); -+ Q_ASSERT(pair.start == i); -+ isRtl = QStringView(text + pair.start + 1, pair.end - pair.start - 1).isRightToLeft(); -+ } - doEmbed(isRtl, false, true); -- ++isolatePairPosition; - break; - } - -diff --git a/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp b/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp -index 9c477589f93..f0a32c2ed40 100644 ---- a/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp -+++ b/tests/auto/gui/text/qtextlayout/tst_qtextlayout.cpp -@@ -138,6 +138,7 @@ private slots: - void noModificationOfInputString(); - void superscriptCrash_qtbug53911(); - void showLineAndParagraphSeparatorsCrash(); -+ void tooManyDirectionalCharctersCrash_qtbug77819(); - - private: - QFont testFont; -@@ -2309,5 +2310,21 @@ void tst_QTextLayout::nbspWithFormat() - QCOMPARE(layout.lineAt(1).textLength(), s2.length() + 1 + s3.length()); - } - -+void tst_QTextLayout::tooManyDirectionalCharctersCrash_qtbug77819() -+{ -+ QString data; -+ data += QString::fromUtf8("\xe2\x81\xa8"); // U+2068 FSI character -+ data += QString::fromUtf8("\xe2\x81\xa7"); // U+2067 RLI character -+ -+ // duplicating the text -+ for (int i = 0; i < 10; i++) -+ data += data; -+ -+ // Nothing to test. It must not crash in beginLayout(). -+ QTextLayout tl(data); -+ tl.beginLayout(); -+ tl.endLayout(); -+} -+ - QTEST_MAIN(tst_QTextLayout) - #include "tst_qtextlayout.moc" --- -2.16.3 |