diff options
author | Jonathan Liu <net147@gmail.com> | 2012-08-15 14:31:39 (GMT) |
---|---|---|
committer | Qt by Nokia <qt-info@nokia.com> | 2012-08-27 11:29:38 (GMT) |
commit | 9520674b0f02aac55da6d98a6c56c74ce240cca6 (patch) | |
tree | cfb727d96ebb9db0f50e741517109e3f2c848517 /src/opengl/qpaintengine_opengl.cpp | |
parent | 1b3a74e74237d004527c3f296b7ec65365be0f25 (diff) | |
download | Qt-9520674b0f02aac55da6d98a6c56c74ce240cca6.zip Qt-9520674b0f02aac55da6d98a6c56c74ce240cca6.tar.gz Qt-9520674b0f02aac55da6d98a6c56c74ce240cca6.tar.bz2 |
QGLGlyphCache: Fix texture buffer overrun
The QGLGlyphCache::cacheGlyphs function reallocates a larger texture
when there is no more room to insert a newly rendered glyph. However,
the glyph width used to check whether reallocation is needed is not the
same as the actual glyph image width and may be less. When the glyph
image is then copied into the texture, a buffer overrun may occur.
Task-number: QTBUG-23584
Change-Id: I71d6cd987b7519e5235109c14a5a35e452332417
Reviewed-by: Friedemann Kleint <Friedemann.Kleint@nokia.com>
Reviewed-by: Andy Shaw <andy.shaw@digia.com>
Reviewed-by: Jiang Jiang <jiang.jiang@nokia.com>
Diffstat (limited to 'src/opengl/qpaintengine_opengl.cpp')
-rw-r--r-- | src/opengl/qpaintengine_opengl.cpp | 16 |
1 files changed, 7 insertions, 9 deletions
diff --git a/src/opengl/qpaintengine_opengl.cpp b/src/opengl/qpaintengine_opengl.cpp index a3d0489..371db92 100644 --- a/src/opengl/qpaintengine_opengl.cpp +++ b/src/opengl/qpaintengine_opengl.cpp @@ -4799,8 +4799,13 @@ void QGLGlyphCache::cacheGlyphs(QGLContext *context, QFontEngine *fontEngine, if (it == cache->constEnd()) { // render new glyph and put it in the cache glyph_metrics_t metrics = fontEngine->boundingBox(glyphs[i]); - int glyph_width = qRound(metrics.width.toReal())+2; - int glyph_height = qRound(fontEngine->ascent().toReal() + fontEngine->descent().toReal())+2; + QImage glyph_im(fontEngine->alphaMapForGlyph(glyphs[i])); + int glyph_width = glyph_im.width(); + int glyph_height = qRound(fontEngine->ascent().toReal() + fontEngine->descent().toReal()) + 2; + Q_ASSERT(glyph_width >= 0); + // pad the glyph width to an even number + if (glyph_width % 2 != 0) + ++glyph_width; if (font_tex->x_offset + glyph_width + x_margin > font_tex->width) { int strip_height = qt_next_power_of_two(qRound(fontEngine->ascent().toReal() + fontEngine->descent().toReal())+2); @@ -4834,13 +4839,6 @@ void QGLGlyphCache::cacheGlyphs(QGLContext *context, QFontEngine *fontEngine, } } - QImage glyph_im(fontEngine->alphaMapForGlyph(glyphs[i])); - glyph_width = glyph_im.width(); - Q_ASSERT(glyph_width >= 0); - // pad the glyph width to an even number - if (glyph_width%2 != 0) - ++glyph_width; - QGLGlyphCoord *qgl_glyph = new QGLGlyphCoord; qgl_glyph->x = qreal(font_tex->x_offset) / font_tex->width; qgl_glyph->y = qreal(font_tex->y_offset) / font_tex->height; |