Skip to content

Commit

Permalink
QLayout: Fix UB (invalid cast) in widgetEvent()
Browse files Browse the repository at this point in the history 
Found by UBSan:

  qlayout.cpp:612:50: runtime error: downcast of address 0x7ffcd4c39a70 which does not point to an object of type 'QWidget'
  0x7ffcd4c39a70: note: object is of type 'QObject'
   00 00 00 00  b0 43 4c 7b f5 2a 00 00  70 c9 28 02 00 00 00 00  08 93 9a 77 f5 2a 00 00  00 00 c3 d4
                ^~~~~~~~~~~~~~~~~~~~~~~
                vptr for 'QObject'
    #0 0x2af56f189960 in QLayout::widgetEvent(QEvent*) qlayout.cpp:612
    #1 0x2af56f037660 in QApplicationPrivate::notify_helper(QObject*, QEvent*) qapplication.cpp:3732
    #2 0x2af56f06ae5b in QApplication::notify(QObject*, QEvent*) qapplication.cpp:3704
    #3 0x2af57989e383 in QCoreApplication::notifyInternal2(QObject*, QEvent*) qcoreapplication.cpp:988
    #4 0x2af5799c1696 in QCoreApplication::sendEvent(QObject*, QEvent*) qcoreapplication.h:231
    #5 0x2af5799c1696 in QObjectPrivate::setParent_helper(QObject*) qobject.cpp:2043
    qt#6 0x2af5799c4823 in QObject::~QObject() qobject.cpp:1095
    qt#7 0x2af56f2d205d in QWidget::~QWidget() qwidget.cpp:1549
    qt#8 0x2af56f9c1366 in QFrame::~QFrame() qframe.cpp:262
    qt#9 0x2af56f9e76cb in QLabel::~QLabel() qlabel.cpp:247
    qt#10 0x458077 in tst_QStyleSheetStyle::emptyStyleSheet() tst_qstylesheetstyle.cpp:1400

Fix by not casting at all (or, to be precise, casting implicitly up
instead of explicitly down).

Change-Id: Ic19fd29e0cabd1aee5b1c93ca4c0fc70bc7a5927
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
  • Loading branch information
@marc-kdab
marc-kdab committed Sep 27, 2016
1 parent b4995eb commit fcf4767
Showing 1 changed file with 3 additions and 4 deletions.
7 changes: 3 additions & 4 deletions src/widgets/kernel/qlayout.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -540,7 +540,7 @@ void QLayout::invalidate()
update();
}

static bool removeWidgetRecursively(QLayoutItem *li, QWidget *w)
static bool removeWidgetRecursively(QLayoutItem *li, QObject *w)
{
QLayout *lay = li->layout();
if (!lay)
Expand Down Expand Up @@ -603,12 +603,11 @@ void QLayout::widgetEvent(QEvent *e)
{
QChildEvent *c = (QChildEvent *)e;
if (c->child()->isWidgetType()) {
QWidget *w = (QWidget *)c->child();
#ifndef QT_NO_MENUBAR
if (w == d->menubar)
if (c->child() == d->menubar)
d->menubar = 0;
#endif
removeWidgetRecursively(this, w);
removeWidgetRecursively(this, c->child());
}
}
break;
Expand Down

0 comments on commit fcf4767

Please sign in to comment.