diff options
author | Marc Mutz <marc.mutz@kdab.com> | 2016-09-26 19:56:07 +0200 |
---|---|---|
committer | Marc Mutz <marc.mutz@kdab.com> | 2016-09-27 04:23:48 +0000 |
commit | fcf4767bffd201a0b8da1ed6f5425e3f5ce0e4ff (patch) | |
tree | 4e8a712f92d700d8ec42aefbedb4f01feab8ccb3 | |
parent | b4995eb7491c1b4784a1bf48db834c11c42b8d9d (diff) | |
download | qtbase-fcf4767bffd201a0b8da1ed6f5425e3f5ce0e4ff.tar.gz |
QLayout: Fix UB (invalid cast) in widgetEvent()
Found by UBSan:
qlayout.cpp:612:50: runtime error: downcast of address 0x7ffcd4c39a70 which does not point to an object of type 'QWidget'
0x7ffcd4c39a70: note: object is of type 'QObject'
00 00 00 00 b0 43 4c 7b f5 2a 00 00 70 c9 28 02 00 00 00 00 08 93 9a 77 f5 2a 00 00 00 00 c3 d4
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'QObject'
#0 0x2af56f189960 in QLayout::widgetEvent(QEvent*) qlayout.cpp:612
#1 0x2af56f037660 in QApplicationPrivate::notify_helper(QObject*, QEvent*) qapplication.cpp:3732
#2 0x2af56f06ae5b in QApplication::notify(QObject*, QEvent*) qapplication.cpp:3704
#3 0x2af57989e383 in QCoreApplication::notifyInternal2(QObject*, QEvent*) qcoreapplication.cpp:988
#4 0x2af5799c1696 in QCoreApplication::sendEvent(QObject*, QEvent*) qcoreapplication.h:231
#5 0x2af5799c1696 in QObjectPrivate::setParent_helper(QObject*) qobject.cpp:2043
#6 0x2af5799c4823 in QObject::~QObject() qobject.cpp:1095
#7 0x2af56f2d205d in QWidget::~QWidget() qwidget.cpp:1549
#8 0x2af56f9c1366 in QFrame::~QFrame() qframe.cpp:262
#9 0x2af56f9e76cb in QLabel::~QLabel() qlabel.cpp:247
#10 0x458077 in tst_QStyleSheetStyle::emptyStyleSheet() tst_qstylesheetstyle.cpp:1400
Fix by not casting at all (or, to be precise, casting implicitly up
instead of explicitly down).
Change-Id: Ic19fd29e0cabd1aee5b1c93ca4c0fc70bc7a5927
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
-rw-r--r-- | src/widgets/kernel/qlayout.cpp | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/src/widgets/kernel/qlayout.cpp b/src/widgets/kernel/qlayout.cpp index 8631149f3d..7ca8de6f7a 100644 --- a/src/widgets/kernel/qlayout.cpp +++ b/src/widgets/kernel/qlayout.cpp @@ -540,7 +540,7 @@ void QLayout::invalidate() update(); } -static bool removeWidgetRecursively(QLayoutItem *li, QWidget *w) +static bool removeWidgetRecursively(QLayoutItem *li, QObject *w) { QLayout *lay = li->layout(); if (!lay) @@ -603,12 +603,11 @@ void QLayout::widgetEvent(QEvent *e) { QChildEvent *c = (QChildEvent *)e; if (c->child()->isWidgetType()) { - QWidget *w = (QWidget *)c->child(); #ifndef QT_NO_MENUBAR - if (w == d->menubar) + if (c->child() == d->menubar) d->menubar = 0; #endif - removeWidgetRecursively(this, w); + removeWidgetRecursively(this, c->child()); } } break; |