From ee17851b42f21bb92c4b7581e80c0319e5384e6b Mon Sep 17 00:00:00 2001
From: Jesus Fernandez <jesus.fernandez@qt.io>
Date: Mon, 23 Oct 2017 20:42:12 +0200
Subject: Fix use after free

This could cause an immediate crash or incorrect values might be read
subsequently resulting in incorrect computations.

In QtFlagPropertyManager::uninitializeProperty(QtProperty *): A
pointer to freed memory is dereferenced, used as a function argument, or
otherwise used (CWE-416)

Coverity-Id: 22622
Change-Id: I24fc9d6f7c1c516ddcadaaba2ba7cdaed7c7f807
Reviewed-by: Friedemann Kleint <Friedemann.Kleint@qt.io>
---
 qtpropertybrowser/src/qtpropertymanager.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/qtpropertybrowser/src/qtpropertymanager.cpp b/qtpropertybrowser/src/qtpropertymanager.cpp
index a3bc78c..4da2ef8 100644
--- a/qtpropertybrowser/src/qtpropertymanager.cpp
+++ b/qtpropertybrowser/src/qtpropertymanager.cpp
@@ -5355,8 +5355,8 @@ void QtFlagPropertyManager::setFlagNames(QtProperty *property, const QStringList
     while (itProp.hasNext()) {
         QtProperty *prop = itProp.next();
         if (prop) {
-            delete prop;
             d_ptr->m_flagToProperty.remove(prop);
+            delete prop;
         }
     }
     d_ptr->m_propertyToFlags[property].clear();
@@ -5396,8 +5396,8 @@ void QtFlagPropertyManager::uninitializeProperty(QtProperty *property)
     while (itProp.hasNext()) {
         QtProperty *prop = itProp.next();
         if (prop) {
-            delete prop;
             d_ptr->m_flagToProperty.remove(prop);
+            delete prop;
         }
     }
     d_ptr->m_propertyToFlags.remove(property);
-- 
cgit v1.2.3