[Patch] Crash due to unsafe access to QTextLayout::lineCount

Consider the following sample application:

------------ test.hpp ------------
#include <QPlainTextEdit>

class TextEdit : public QPlainTextEdit
{
Q_OBJECT
public:
TextEdit()

{ connect(document(), SIGNAL(contentsChange(int,int,int)), this, SLOT(slotChanged(int,int,int))); }

private slots:
void slotChanged(int pos, int removed, int added)

{ QTextCursor c(this->textCursor()); c.beginEditBlock(); c.movePosition(QTextCursor::Start); c.movePosition(QTextCursor::End, QTextCursor::KeepAnchor); c.setCharFormat(QTextCharFormat()); c.endEditBlock(); }

};
----------------------------------
------------ test.cpp ------------
#include <QApplication>
#include "test.hpp"

int main (int argc, char *argv[])

{ QApplication app(argc, argv); TextEdit textEdit; textEdit.show(); return app.exec(); }

----------------------------------

$ moc-qt5 test.hpp > moc_test.cpp
$ g++ -o test *.cpp -g -fPIC $(pkg-config --cflags --libs Qt5Widgets)

Start typing in the text edit, and the application will pretty soon crash with the following stacktrace:
----------- Stacktrace ----------
#0 0x00007ffff73c2c50 in QTextLayout::lineCount() const (this=0x0) at text/qtextlayout.cpp:804
#1 0x00007ffff7a7f7ee in QPlainTextDocumentLayout::documentChanged(int, int, int) (this=0x676e30, from=-1, charsRemoved=<optimized out>, charsAdded=<optimized out>)
at widgets/qplaintextedit.cpp:291
#2 0x00007ffff73ee253 in QTextDocumentPrivate::finishEdit() (this=this@entry=0x68eab0) at text/qtextdocument_p.cpp:1214
#3 0x00007ffff73f1283 in QTextDocumentPrivate::insert(int, int, int, int) (this=0x68eab0, pos=3, strPos=strPos@entry=4, strLength=strLength@entry=1, format=format@entry=0)
at text/qtextdocument_p.cpp:467
#4 0x00007ffff741a8ee in QTextCursor::insertText(QString const&, QTextCharFormat const&) (this=0x65b9f0, text=..., _format=...) at text/qtextcursor.cpp:1468
#5 0x00007ffff741b034 in QTextCursor::insertText(QString const&) (this=this@entry=0x65b9f0, text=...) at text/qtextcursor.cpp:1397
#6 0x00007ffff7a66c28 in QWidgetTextControlPrivate::keyPressEvent(QKeyEvent*) (this=this@entry=0x65b970, e=e@entry=0x7fffffffd820) at widgets/qwidgettextcontrol.cpp:1351
#7 0x00007ffff7a6bf2b in QWidgetTextControl::processEvent(QEvent*, QMatrix const&, QWidget*) (this=<optimized out>, e=0x7fffffffd820, matrix=..., contextWidget=0x659db0)
at widgets/qwidgettextcontrol.cpp:991
#8 0x00007ffff7a62ceb in QWidgetTextControl::processEvent(QEvent*, QPointF const&, QWidget*) (this=0x658350, e=e@entry=0x7fffffffd820, coordinateOffset=..., contextWidget=contextWidget@entry=0x659db0) at widgets/qwidgettextcontrol.cpp:951
#9 0x00007ffff7a8547c in QPlainTextEdit::keyPressEvent(QKeyEvent*) (e=0x7fffffffd820, this=0x659970) at widgets/qplaintextedit_p.h:128
[...]
---------------------------------

The problem is that in QPlainTextDocumentLayout::documentChanged at qplaintextedit.cpp:292 QTextLayout::lineCount is called before ensuring that the QTextLayout is valid. This results, in this case, in QTextLayout::lineCount being called on a null QTextLayout.

A trivial patch is attached.

This bug affects at least 5.3.2 and 5.4.0 of the Qt5 series. Qt4 seems unaffected.