Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-88350

QTextCursor.insertText of a garbage QString segfaults on layoutData due to CreateFontFaceFromHDC failure

    XMLWordPrintable

Details

    • Bug
    • Resolution: Incomplete
    • Not Evaluated
    • None
    • 5.12
    • GUI: Font handling
    • None
    • Windows

    Description

      If QTextCursor.insertText() is called with a garbage QString, Qt reports a CreateFontFaceFromHDC failure. It segfaults on endEditBlock() at layoutData in QTextEngine::fontEngine.

      Steps to reproduce:

      1) Create a QString with garbage QChars

      In this case, a QString containing a qCompressed QByteArray/

      QString "the first rtf document does not end with '}' – '0esA??P???*,?' [E004944 TH12619 concatenateRtf]"

      [114] 1 '\x1' char
      [115] 181 'µ' char
      [116] 181 'µ' char
      [117] 215 '×' char
      [118] 48 '0' char
      [119] 101 'e' char
      [120] 115 's' char
      [121] 65 'A' char
      [122] 215 '×' char
      [123] 19 '\x13' char
      [124] 206 'Î' char
      [125] 155 '?' char
      [126] 223 'ß' char
      [127] 150 '?' char
      [128] 239 'ï' char
      [129] 80 'P' char
      [130] 189 '½' char
      [131] 63 '?' char
      [132] 239 'ï' char
      [133] 42 '*' char
      [134] 44 ',' char
      [135] 222 'Þ' char

      As a QString
      [0x0000002c] 0x0020 ' ' unsigned short
      [0x0000002d] 0x002d '-' unsigned short
      [0x0000002e] 0x002d '-' unsigned short
      [0x0000002f] 0x0020 ' ' unsigned short
      [0x00000030] 0x0027 ''' unsigned short
      [0x00000031] 0xfffd '?' unsigned short
      [0x00000032] 0xfffd '?' unsigned short
      [0x00000033] 0x0030 '0' unsigned short
      [0x00000034] 0x0065 'e' unsigned short
      [0x00000035] 0x0073 's' unsigned short
      [0x00000036] 0x0041 'A' unsigned short
      [0x00000037] 0xfffd '?' unsigned short
      [0x00000038] 0x0013 '\x13' unsigned short
      [0x00000039] 0x039b '?' unsigned short
      [0x0000003a] 0x07d6 '?' unsigned short
      [0x0000003b] 0xfffd '?' unsigned short
      [0x0000003c] 0x0050 'P' unsigned short
      [0x0000003d] 0xfffd '?' unsigned short
      [0x0000003e] 0x003f '?' unsigned short
      [0x0000003f] 0xfffd '?' unsigned short
      [0x00000040] 0x002a '*' unsigned short
      [0x00000041] 0x002c ',' unsigned short
      [0x00000042] 0xfffd '?' unsigned short
      [0x00000043] 0x0027 ''' unsigned short

      2) Call QTextCursor::insertText

      3) Qt reports

      QTextLayout::beginLayout: Called while already doing layout
      OpenType support missing for "Courier New", script 66
      OpenType support missing for "Arial", script 66
      OpenType support missing for "MS UI Gothic", script 66
      OpenType support missing for "Gulim", script 66
      OpenType support missing for "SimSun", script 66
      OpenType support missing for "PMingLiU", script 66
      OpenType support missing for "Arial Unicode MS", script 66
      OpenType support missing for "Segoe UI Symbol", script 66
      OpenType support missing for "Ebrima", script 66
      OpenType support missing for "Traditional Arabic", script 66
      OpenType support missing for "BatangChe", script 66
      OpenType support missing for "Consolas", script 66
      OpenType support missing for "Courier", script 66
      OpenType support missing for "DFKai-SB", script 66
      OpenType support missing for "DotumChe", script 66
      OpenType support missing for "FangSong", script 66
      DirectWrite: CreateFontFaceFromHDC() failed (Unknown error 0x88985000.) for QFontDef(Family="Fixedsys", pointsize=12, pixelsize=15, styleHint=5, weight=50, stretch=100, hintingPreference=0) LOGFONT("Fixedsys", lfWidth=0, lfHeight=-15) dpi=96
      ...

      4) QTextEngine::length() segfaults with layoutData 0xddddddd

      if (si + 1 < layoutData->items.constData()+ layoutData->items.size())

      5) The stack trace is

      Qt5Guid.dll!QTextEngine::fontEngine(const QScriptItem & si, QFixed * ascent, QFixed * descent, QFixed * leading) Line 2538 C++
      Qt5Guid.dll!QTextEngine::shapeText(int item) Line 1407 C++
      Qt5Guid.dll!QTextEngine::shape(int item) Line 2006 C++
      Qt5Guid.dll!QTextLine::layout_helper(int maxGlyphs) Line 1837 C++
      Qt5Guid.dll!QTextLine::setLineWidth(double width) Line 1597 C++
      Qt5Guid.dll!QTextDocumentLayoutPrivate::layoutBlock(const QTextBlock & bl, int blockPosition, const QTextBlockFormat & blockFormat, QTextLayoutStruct * layoutStruct, int layoutFrom, int layoutTo, const QTextBlockFormat * previousBlockFormat) Line 2662 C++
      Qt5Guid.dll!QTextDocumentLayoutPrivate::layoutFlow(QTextFrame::iterator it, QTextLayoutStruct * layoutStruct, int layoutFrom, int layoutTo, QFixed width) Line 2443 C++
      Qt5Guid.dll!QTextDocumentLayoutPrivate::layoutFrame(QTextFrame * f, int layoutFrom, int layoutTo, QFixed frameWidth, QFixed frameHeight, QFixed parentY) Line 2182 C++
      Qt5Guid.dll!QTextDocumentLayoutPrivate::layoutFrame(QTextFrame * f, int layoutFrom, int layoutTo, QFixed parentY) Line 2070 C++
      Qt5Guid.dll!QTextDocumentLayout::doLayout(int from, int oldLength, int length) Line 2986 C++
      Qt5Guid.dll!QTextDocumentLayout::documentChanged(int from, int oldLength, int length) Line 2949 C++
      Qt5Guid.dll!QTextDocumentPrivate::finishEdit() Line 1223 C++
      Qt5Guid.dll!QTextDocumentPrivate::endEditBlock() Line 1202 C++
      > Qt5Guid.dll!QTextCursor::insertText(const QString & text, const QTextCharFormat & _format) Line 1502 C++

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            esabraha Eskil Abrahamsen Blomfeldt
            bbarber Brad Barber
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes