Fix potential truncation in write_xbm_image()

The old code sized the buffer according to the UTF-16 size of the
input, but in fact wrote UTF-8 output, which can be up to twice as
large as UTF-16, overflowing the buffer size. Not a buffer overflow,
because qs_n_printf(), but truncation would create an invalid XBM
file here.

Fix by converting to UTF-8 first (and only once), and taking the
buffer size from there.

Introduced by 2883a6de408c991ecf6184d7216c7d3de6fa4f4f, which replaced
toAscii() (whose result has the same size as the input) with toUtf8()
(which can be larger).

Pick-to: 6.8 6.7 6.5
Change-Id: I4acc0816a94060520695c3e6895ed982812fdee2
Reviewed-by: Thiago Macieira <[email protected]>

1 files changed, 4 insertions, 4 deletions

diff --git a/src/gui/image/qxbmhandler.cpp b/src/gui/image/qxbmhandler.cpp
index 37a458e9420..fdc3337862f 100644
--- a/src/gui/image/qxbmhandler.cpp
+++ b/src/gui/image/qxbmhandler.cpp
@@ -161,15 +161,15 @@ static bool write_xbm_image(const QImage &sourceImage, QIODevice *device, const
     int        w = image.width();
     int        h = image.height();
     int        i;
-    QString    s = fileName; // get file base name
+    const QByteArray s = fileName.toUtf8(); // get file base name
     int        msize = s.size() + 100;
     char *buf = new char[msize];
 
-    qsnprintf(buf, msize, "#define %s_width %d\n", s.toUtf8().data(), w);
+    qsnprintf(buf, msize, "#define %s_width %d\n", s.data(), w);
     device->write(buf, qstrlen(buf));
-    qsnprintf(buf, msize, "#define %s_height %d\n", s.toUtf8().data(), h);
+    qsnprintf(buf, msize, "#define %s_height %d\n", s.data(), h);
     device->write(buf, qstrlen(buf));
-    qsnprintf(buf, msize, "static char %s_bits[] = {\n ", s.toUtf8().data());
+    qsnprintf(buf, msize, "static char %s_bits[] = {\n ", s.data());
     device->write(buf, qstrlen(buf));
 
     if (image.format() != QImage::Format_MonoLSB)