Crash due to unsafe access to QTextLayout::lineCount (#1207279,QTBUG-43562)

2015-03-30 10:33:49 -05:00 · 2015-03-30 10:33:49 -05:00 · 21c37f05b9
parent aa433e16dc
commit 21c37f05b9
2 changed files with 91 additions and 1 deletions
--- a/0012-Fix-a-crash-in-QPlainTextEdit-documentChanged.patch
+++ b/0012-Fix-a-crash-in-QPlainTextEdit-documentChanged.patch
@ -0,0 +1,85 @@
+From 890ae41d0601d20505df2f955a99d0238bf4f59e Mon Sep 17 00:00:00 2001
+From: Pierre Rossi <pierre.rossi@theqtcompany.com>
+Date: Wed, 7 Jan 2015 16:16:23 +0100
+Subject: [PATCH 012/223] Fix a crash in QPlainTextEdit::documentChanged
+
+The layout for an invalid block is very likely to be null, it
+shouldn't be accessed without checking the block's validity first.
+We can make the check a bit more conservative and simply check that
+the block isn't empty.
+
+Change-Id: Ic1459a6168b1b8ce36e9c6d019dc28653676efbe
+Task-number: QTBUG-43562
+Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>
+---
+ src/widgets/widgets/qplaintextedit.cpp             |  3 +-
+ .../widgets/qplaintextedit/tst_qplaintextedit.cpp  | 33 ++++++++++++++++++++++
+ 2 files changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/src/widgets/widgets/qplaintextedit.cpp b/src/widgets/widgets/qplaintextedit.cpp
+index 72a556d..e56fd11 100644
+--- a/src/widgets/widgets/qplaintextedit.cpp
+++ b/src/widgets/widgets/qplaintextedit.cpp
+@@ -288,8 +288,7 @@ void QPlainTextDocumentLayout::documentChanged(int from, int charsRemoved, int c
+ 
+     if (changeStartBlock == changeEndBlock && newBlockCount == d->blockCount) {
+         QTextBlock block = changeStartBlock;
+-        int blockLineCount = block.layout()->lineCount();
+-        if (block.isValid() && blockLineCount) {
+        if (block.isValid() && block.length()) {
+             QRectF oldBr = blockBoundingRect(block);
+             layoutBlock(block);
+             QRectF newBr = blockBoundingRect(block);
+diff --git a/tests/auto/widgets/widgets/qplaintextedit/tst_qplaintextedit.cpp b/tests/auto/widgets/widgets/qplaintextedit/tst_qplaintextedit.cpp
+index d8e7fb7..cf495e2 100644
+--- a/tests/auto/widgets/widgets/qplaintextedit/tst_qplaintextedit.cpp
+++ b/tests/auto/widgets/widgets/qplaintextedit/tst_qplaintextedit.cpp
+@@ -148,6 +148,7 @@ private slots:
+ #endif
+     void layoutAfterMultiLineRemove();
+     void undoCommandRemovesAndReinsertsBlock();
+    void taskQTBUG_43562_lineCountCrash();
+ 
+ private:
+     void createSelection();
+@@ -1629,5 +1630,37 @@ void tst_QPlainTextEdit::undoCommandRemovesAndReinsertsBlock()
+ 
+ }
+ 
+class ContentsChangedFunctor {
+public:
+    ContentsChangedFunctor(QPlainTextEdit *t) : textEdit(t) {}
+    void operator()(int, int, int)
+    {
+        QTextCursor c(textEdit->textCursor());
+        c.beginEditBlock();
+        c.movePosition(QTextCursor::Start);
+        c.movePosition(QTextCursor::End, QTextCursor::KeepAnchor);
+        c.setCharFormat(QTextCharFormat());
+        c.endEditBlock();
+    }
+
+private:
+    QPlainTextEdit *textEdit;
+};
+
+void tst_QPlainTextEdit::taskQTBUG_43562_lineCountCrash()
+{
+    connect(ed->document(), &QTextDocument::contentsChange, ContentsChangedFunctor(ed));
+    // Don't crash
+    QTest::keyClicks(ed, "Some text");
+    QTest::keyClick(ed, Qt::Key_Left);
+    QTest::keyClick(ed, Qt::Key_Right);
+    QTest::keyClick(ed, Qt::Key_A);
+    QTest::keyClick(ed, Qt::Key_Left);
+    QTest::keyClick(ed, Qt::Key_Right);
+    QTest::keyClick(ed, Qt::Key_Space);
+    QTest::keyClicks(ed, "nd some more");
+    disconnect(ed->document(), SIGNAL(contentsChange(int, int, int)), 0, 0);
+}
+
+ QTEST_MAIN(tst_QPlainTextEdit)
+ #include "tst_qplaintextedit.moc"
+-- 
+1.9.3
+
--- a/qt5-qtbase.spec
+++ b/qt5-qtbase.spec
@ -37,7 +37,7 @@
 Summary: Qt5 - QtBase components
 Name:    qt5-qtbase
 Version: 5.4.1
-Release: 5%{?dist}
+Release: 6%{?dist}

 # See LGPL_EXCEPTIONS.txt, for exception details
 License: LGPLv2 with exceptions or GPLv3 with exceptions
@ -104,6 +104,7 @@ Patch207: qt5-qtbase-5.5-0007-xcb-create-a-screen-if-dimensions-are-known-but-ou
 Patch208: qt5-qtbase-5.5-Get_display_number_when_screen_number_is_omitted.patch


+Patch212: 0012-Fix-a-crash-in-QPlainTextEdit-documentChanged.patch
 Patch272: 0072-CMake-Fix-QObject-connect-failing-on-ARM.patch
 Patch294: 0094-Fix-Meta-.-shortcuts-on-XCB.patch
 Patch332: 0132-Call-ofono-nm-Registered-delayed-in-constructor-othe.patch
@ -364,6 +365,7 @@ rm -fv mkspecs/linux-g++*/qmake.conf.multilib-optflags
 %patch207 -p1 -b .xcb0007
 %patch208 -p1 -b .ibus_get_display_number

+%patch212 -p1 -b .0012
 %patch272 -p1 -b .0072
 %patch294 -p1 -b .0094
 %patch332 -p1 -b .0132
@ -879,6 +881,9 @@ fi


 %changelog
+* Mon Mar 30 2015 Rex Dieter <rdieter@fedoraproject.org> 5.4.1-6
+- Crash due to unsafe access to QTextLayout::lineCount (#1207279,QTBUG-43562)
+
 * Mon Mar 30 2015 Rex Dieter <rdieter@fedoraproject.org> 5.4.1-5
 - unable to use input methods in ibus-1.5.10 (#1203575)