From 21c37f05b959186ac453af4a13192a47c35ceebf Mon Sep 17 00:00:00 2001
From: Rex Dieter <rdieter@math.unl.edu>
Date: Mon, 30 Mar 2015 10:33:49 -0500
Subject: [PATCH] Crash due to unsafe access to QTextLayout::lineCount
 (#1207279,QTBUG-43562)

---
 ...sh-in-QPlainTextEdit-documentChanged.patch | 85 +++++++++++++++++++
 qt5-qtbase.spec                               |  7 +-
 2 files changed, 91 insertions(+), 1 deletion(-)
 create mode 100644 0012-Fix-a-crash-in-QPlainTextEdit-documentChanged.patch

diff --git a/0012-Fix-a-crash-in-QPlainTextEdit-documentChanged.patch b/0012-Fix-a-crash-in-QPlainTextEdit-documentChanged.patch
new file mode 100644
index 0000000..bd6c3a8
--- /dev/null
+++ b/0012-Fix-a-crash-in-QPlainTextEdit-documentChanged.patch
@@ -0,0 +1,85 @@
+From 890ae41d0601d20505df2f955a99d0238bf4f59e Mon Sep 17 00:00:00 2001
+From: Pierre Rossi <pierre.rossi@theqtcompany.com>
+Date: Wed, 7 Jan 2015 16:16:23 +0100
+Subject: [PATCH 012/223] Fix a crash in QPlainTextEdit::documentChanged
+
+The layout for an invalid block is very likely to be null, it
+shouldn't be accessed without checking the block's validity first.
+We can make the check a bit more conservative and simply check that
+the block isn't empty.
+
+Change-Id: Ic1459a6168b1b8ce36e9c6d019dc28653676efbe
+Task-number: QTBUG-43562
+Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>
+---
+ src/widgets/widgets/qplaintextedit.cpp             |  3 +-
+ .../widgets/qplaintextedit/tst_qplaintextedit.cpp  | 33 ++++++++++++++++++++++
+ 2 files changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/src/widgets/widgets/qplaintextedit.cpp b/src/widgets/widgets/qplaintextedit.cpp
+index 72a556d..e56fd11 100644
+--- a/src/widgets/widgets/qplaintextedit.cpp
++++ b/src/widgets/widgets/qplaintextedit.cpp
+@@ -288,8 +288,7 @@ void QPlainTextDocumentLayout::documentChanged(int from, int charsRemoved, int c
+ 
+     if (changeStartBlock == changeEndBlock && newBlockCount == d->blockCount) {
+         QTextBlock block = changeStartBlock;
+-        int blockLineCount = block.layout()->lineCount();
+-        if (block.isValid() && blockLineCount) {
++        if (block.isValid() && block.length()) {
+             QRectF oldBr = blockBoundingRect(block);
+             layoutBlock(block);
+             QRectF newBr = blockBoundingRect(block);
+diff --git a/tests/auto/widgets/widgets/qplaintextedit/tst_qplaintextedit.cpp b/tests/auto/widgets/widgets/qplaintextedit/tst_qplaintextedit.cpp
+index d8e7fb7..cf495e2 100644
+--- a/tests/auto/widgets/widgets/qplaintextedit/tst_qplaintextedit.cpp
++++ b/tests/auto/widgets/widgets/qplaintextedit/tst_qplaintextedit.cpp
+@@ -148,6 +148,7 @@ private slots:
+ #endif
+     void layoutAfterMultiLineRemove();
+     void undoCommandRemovesAndReinsertsBlock();
++    void taskQTBUG_43562_lineCountCrash();
+ 
+ private:
+     void createSelection();
+@@ -1629,5 +1630,37 @@ void tst_QPlainTextEdit::undoCommandRemovesAndReinsertsBlock()
+ 
+ }
+ 
++class ContentsChangedFunctor {
++public:
++    ContentsChangedFunctor(QPlainTextEdit *t) : textEdit(t) {}
++    void operator()(int, int, int)
++    {
++        QTextCursor c(textEdit->textCursor());
++        c.beginEditBlock();
++        c.movePosition(QTextCursor::Start);
++        c.movePosition(QTextCursor::End, QTextCursor::KeepAnchor);
++        c.setCharFormat(QTextCharFormat());
++        c.endEditBlock();
++    }
++
++private:
++    QPlainTextEdit *textEdit;
++};
++
++void tst_QPlainTextEdit::taskQTBUG_43562_lineCountCrash()
++{
++    connect(ed->document(), &QTextDocument::contentsChange, ContentsChangedFunctor(ed));
++    // Don't crash
++    QTest::keyClicks(ed, "Some text");
++    QTest::keyClick(ed, Qt::Key_Left);
++    QTest::keyClick(ed, Qt::Key_Right);
++    QTest::keyClick(ed, Qt::Key_A);
++    QTest::keyClick(ed, Qt::Key_Left);
++    QTest::keyClick(ed, Qt::Key_Right);
++    QTest::keyClick(ed, Qt::Key_Space);
++    QTest::keyClicks(ed, "nd some more");
++    disconnect(ed->document(), SIGNAL(contentsChange(int, int, int)), 0, 0);
++}
++
+ QTEST_MAIN(tst_QPlainTextEdit)
+ #include "tst_qplaintextedit.moc"
+-- 
+1.9.3
+
diff --git a/qt5-qtbase.spec b/qt5-qtbase.spec
index c885f9d..08a359a 100644
--- a/qt5-qtbase.spec
+++ b/qt5-qtbase.spec
@@ -37,7 +37,7 @@
 Summary: Qt5 - QtBase components
 Name:    qt5-qtbase
 Version: 5.4.1
-Release: 5%{?dist}
+Release: 6%{?dist}
 
 # See LGPL_EXCEPTIONS.txt, for exception details
 License: LGPLv2 with exceptions or GPLv3 with exceptions
@@ -104,6 +104,7 @@ Patch207: qt5-qtbase-5.5-0007-xcb-create-a-screen-if-dimensions-are-known-but-ou
 Patch208: qt5-qtbase-5.5-Get_display_number_when_screen_number_is_omitted.patch
 
 
+Patch212: 0012-Fix-a-crash-in-QPlainTextEdit-documentChanged.patch
 Patch272: 0072-CMake-Fix-QObject-connect-failing-on-ARM.patch
 Patch294: 0094-Fix-Meta-.-shortcuts-on-XCB.patch
 Patch332: 0132-Call-ofono-nm-Registered-delayed-in-constructor-othe.patch
@@ -364,6 +365,7 @@ rm -fv mkspecs/linux-g++*/qmake.conf.multilib-optflags
 %patch207 -p1 -b .xcb0007
 %patch208 -p1 -b .ibus_get_display_number
 
+%patch212 -p1 -b .0012
 %patch272 -p1 -b .0072
 %patch294 -p1 -b .0094
 %patch332 -p1 -b .0132
@@ -879,6 +881,9 @@ fi
 
 
 %changelog
+* Mon Mar 30 2015 Rex Dieter <rdieter@fedoraproject.org> 5.4.1-6
+- Crash due to unsafe access to QTextLayout::lineCount (#1207279,QTBUG-43562)
+
 * Mon Mar 30 2015 Rex Dieter <rdieter@fedoraproject.org> 5.4.1-5
 - unable to use input methods in ibus-1.5.10 (#1203575)