QGLGlyphCache: Fix texture buffer overrun

net147 · Qt by Nokia · commit 9520674b0f02 · 2012-08-27T13:29:38.000+02:00
The QGLGlyphCache::cacheGlyphs function reallocates a larger texture
when there is no more room to insert a newly rendered glyph. However,
the glyph width used to check whether reallocation is needed is not the
same as the actual glyph image width and may be less. When the glyph
image is then copied into the texture, a buffer overrun may occur.

Task-number: QTBUG-23584
Change-Id: I71d6cd987b7519e5235109c14a5a35e452332417
Reviewed-by: Friedemann Kleint &lt;Friedemann.Kleint@nokia.com&gt;
Reviewed-by: Andy Shaw &lt;andy.shaw@digia.com&gt;
Reviewed-by: Jiang Jiang &lt;jiang.jiang@nokia.com&gt;
diff --git a/src/opengl/qpaintengine_opengl.cpp b/src/opengl/qpaintengine_opengl.cpp
@@ -4799,8 +4799,13 @@ void QGLGlyphCache::cacheGlyphs(QGLContext *context, QFontEngine *fontEngine,
         if (it == cache->constEnd()) {
             // render new glyph and put it in the cache
             glyph_metrics_t metrics = fontEngine->boundingBox(glyphs[i]);
-            int glyph_width = qRound(metrics.width.toReal())+2;
-            int glyph_height = qRound(fontEngine->ascent().toReal() + fontEngine->descent().toReal())+2;
+            QImage glyph_im(fontEngine->alphaMapForGlyph(glyphs[i]));
+            int glyph_width = glyph_im.width();
+            int glyph_height = qRound(fontEngine->ascent().toReal() + fontEngine->descent().toReal()) + 2;
+            Q_ASSERT(glyph_width >= 0);
+            // pad the glyph width to an even number
+            if (glyph_width % 2 != 0)
+                ++glyph_width;
 
             if (font_tex->x_offset + glyph_width + x_margin > font_tex->width) {
                 int strip_height = qt_next_power_of_two(qRound(fontEngine->ascent().toReal() + fontEngine->descent().toReal())+2);
@@ -4834,13 +4839,6 @@ void QGLGlyphCache::cacheGlyphs(QGLContext *context, QFontEngine *fontEngine,
                 }
             }
 
-            QImage glyph_im(fontEngine->alphaMapForGlyph(glyphs[i]));
-            glyph_width = glyph_im.width();
-            Q_ASSERT(glyph_width >= 0);
-            // pad the glyph width to an even number
-            if (glyph_width%2 != 0)
-                ++glyph_width;
-
             QGLGlyphCoord *qgl_glyph = new QGLGlyphCoord;
             qgl_glyph->x = qreal(font_tex->x_offset) / font_tex->width;
             qgl_glyph->y = qreal(font_tex->y_offset) / font_tex->height;
