Fixed potential invalid memory access in OpenGL engine glyph cache.

We need to clamp glyph_height to prevent from overflowing the texture
cache. A slightly similar issue was fixed for glyph_width in change
9520674. Also, we should only increment the y_offset in
the place where we check for an overflow.

Task-number: QTBUG-26649

Change-Id: I297191b2ffd68a636bfced7f5284fd3b9383e988
Reviewed-by: Eskil Abrahamsen Blomfeldt <[email protected]>

Author: Samuel Rødal

src/opengl/qpaintengine_opengl.cpp

@@ -4810,7 +4810,7 @@ void QGLGlyphCache::cacheGlyphs(QGLContext *context, QFontEngine *fontEngine,
                 int strip_height = qt_next_power_of_two(qRound(fontEngine->ascent().toReal() + fontEngine->descent().toReal())+2);
                 font_tex->x_offset = x_margin;
                 font_tex->y_offset += strip_height;
-                if (font_tex->y_offset >= font_tex->height) {
+                if (font_tex->y_offset + strip_height > font_tex->height) {
                     // get hold of the old font texture
                     uchar *old_tex_data = font_tex->data;
                     int old_tex_height = font_tex->height;
@@ -4838,6 +4838,8 @@ void QGLGlyphCache::cacheGlyphs(QGLContext *context, QFontEngine *fontEngine,
                 }
             }
 
+            glyph_height = qMin(glyph_height, glyph_im.height());
+
             QGLGlyphCoord *qgl_glyph = new QGLGlyphCoord;
             qgl_glyph->x = qreal(font_tex->x_offset) / font_tex->width;
             qgl_glyph->y = qreal(font_tex->y_offset) / font_tex->height;
@@ -4855,8 +4857,8 @@ void QGLGlyphCache::cacheGlyphs(QGLContext *context, QFontEngine *fontEngine,
 
             if (!glyph_im.isNull()) {
                 int idx = 0;
-                uchar *tex_data = (uchar *) malloc(glyph_width*glyph_im.height()*2);
-                memset(tex_data, 0, glyph_width*glyph_im.height()*2);
+                uchar *tex_data = (uchar *) malloc(glyph_width*glyph_height*2);
+                memset(tex_data, 0, glyph_width*glyph_height*2);
 
                 bool is8BitGray = false;
 #ifdef Q_WS_QPA
@@ -4866,7 +4868,7 @@ void QGLGlyphCache::cacheGlyphs(QGLContext *context, QFontEngine *fontEngine,
 #endif
                 glyph_im = glyph_im.convertToFormat(QImage::Format_Indexed8);
                 int cacheLineStart = (font_tex->x_offset + font_tex->y_offset*font_tex->width)*2;
-                for (int y=0; y<glyph_im.height(); ++y) {
+                for (int y=0; y<glyph_height; ++y) {
                     uchar *s = (uchar *) glyph_im.scanLine(y);
                     int lineStart = idx;
                     for (int x=0; x<glyph_im.width(); ++x) {
@@ -4883,16 +4885,12 @@ void QGLGlyphCache::cacheGlyphs(QGLContext *context, QFontEngine *fontEngine,
                     cacheLineStart += font_tex->width*2;
                 }
                 glTexSubImage2D(GL_TEXTURE_2D, 0, font_tex->x_offset, font_tex->y_offset,
-                                glyph_width, glyph_im.height(),
+                                glyph_width, glyph_height,
                                 GL_LUMINANCE_ALPHA, GL_UNSIGNED_BYTE, tex_data);
                 free(tex_data);
             }
-            if (font_tex->x_offset + glyph_width + x_margin > font_tex->width) {
-                font_tex->x_offset = x_margin;
-                font_tex->y_offset += glyph_height + y_margin;
-            } else {
-                font_tex->x_offset += glyph_width + x_margin;
-            }
+
+            font_tex->x_offset += glyph_width + x_margin;
 
             cache->insert(glyphs[i], qgl_glyph);
         }