Details
-
Bug
-
Resolution: Out of scope
-
Not Evaluated
-
None
-
4.8.0, 4.8.3
-
None
-
Windows 7, MSVC 2008
Description
All line numbers are based off of 4.8.0, however it has also been confirmed in 4.8.3
On line 4866 of qpaintengine_opengl.cpp, there is a memcpy:
memcpy(font_tex->data+cacheLineStart, tex_data+lineStart, glyph_width*2);
This line can write past the end of the font_tex->data buffer when using MS UI Gothic 8. I have added an assert prior to that line:
Q_ASSERT(cacheLineStart+glyph_width*2 < font_tex->width*font_tex->height*2);
Which fires at times. We are calling QGLWidget::renderText to get to this point. In our particular program, we get a crash on exit when the glyph cache is cleaned up.
The problem appears to be a mismatch between the size returned by the font engine (on line 4756, used for allocating the texture map) & the size returned by glyph_im.height(), which is used to walk scanlines at line 4853. When the number of scanlines is greater, then we write outside the bounds of the font_tex->data.