Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-41355

QFontEngineQPF crashes beyond the memory edge

    XMLWordPrintable

Details

    • Bug
    • Resolution: Out of scope
    • Not Evaluated
    • None
    • 4.7.1
    • (Inactive) GUI: QWS Integration (Qt4)
    • None
    • atom linux

    Description

      we used two fonts in our system, one is Microsoft Yahei, another is Arial.

      when we not use setFont when the QApplication is constructed, it uses its own default fonts which create a qfontenginemultiqws contains
      arial fontengine. then when we try to calculate the Label text width, it firstly load the default fonts first , and
      created a _12_50.qsf cache file from arial, but the arial do not support the text to be written, so the multifontengine
      created a QFontEngineQPF(microsoft_yahei_12_50.qsf) to support the text, but the QFontEngineQPF is not inserted into the QFontCache instance.

      since that, bugs occured. when we try to paint the text, qt used the style to modify the font of widget. then, when the texts is painted,
      the font become the real microsoft yahei font, which is different from the default font, so it also created a qfontenginemultiqws, which loaded another
      QFontEngineQPF(microsoft_yahei_12_50.qsf), so two QFontEngineQPF object uses the same "microsoft_yahei_12_50.qsf" file. when one QFontEngineQPF insert a new font map to the microsoft_yahei_12_50.qsf, another is not remapped. and if another is used to draw the new inserted font, it find glyph from the shared cache file "the microsoft_yahei_12_50.qsf", but it crashs because it is not remapped.

      i think , the bug is from the following code---"qfontengine_qpf.cpp : line 152":

      const QFontEngineQPF::Glyph *QFontEngineQPF::findGlyph(glyph_t g) const
      {
      if (!g || g >= glyphMapEntries)
      return 0;
      const quint32 *gmapPtr = reinterpret_cast<const quint32 *>(fontData + glyphMapOffset);
      quint32 glyphPos = qFromBigEndian<quint32>(gmapPtr[g]);
      if (glyphPos > glyphDataSize)

      { if (glyphPos == 0xffffffff) return 0; #if defined(DEBUG_FONTENGINE) qDebug() << "glyph" << g << "outside of glyphData, remapping font file"; #endif #if !defined(QT_NO_FREETYPE) && !defined(QT_FONTS_ARE_RESOURCES) const_cast<QFontEngineQPF *>(this)->remapFontData(); #endif if (glyphPos > glyphDataSize) return 0; }

      return reinterpret_cast<const Glyph *>(fontData + glyphDataOffset + glyphPos);
      }

      the codes above, "glyphPos > glyphDataSize" should be changed to "glyphPos >= glyphDataSize", because when two QFontEngineQPF used the same ***.qsf cache
      file, when one insert a char on the cache edge, another find it when "glyphPos == glyphDataSize", which is just not remap the cache file , which leads to crashed finally.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            Unassigned Unassigned
            dengliangxj Daniel Lion
            Votes:
            2 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes