From 40f2dbd5557da2103e03a3fb7682bbfda3ffd122 Mon Sep 17 00:00:00 2001 From: Ulf Hermann Date: Thu, 27 Feb 2020 09:27:40 +0100 Subject: QQmlDelegateModel: Avoid use-after-free The iterator may be invalidated by addCacheItem(). We can retrieve the relevant properties before, though. Change-Id: Ia3bbc50d16a7563097239177a75c9e2eab777a33 Reviewed-by: Fabian Kosmale Reviewed-by: Simon Hausmann Reviewed-by: Shawn Rutledge --- src/qmlmodels/qqmldelegatemodel.cpp | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/qmlmodels/qqmldelegatemodel.cpp b/src/qmlmodels/qqmldelegatemodel.cpp index c32caafaa6..3a05bf1689 100644 --- a/src/qmlmodels/qqmldelegatemodel.cpp +++ b/src/qmlmodels/qqmldelegatemodel.cpp @@ -1211,11 +1211,13 @@ QObject *QQmlDelegateModelPrivate::object(Compositor::Group group, int index, QQ } Compositor::iterator it = m_compositor.find(group, index); + const auto flags = it->flags; + const auto modelIndex = it.modelIndex(); QQmlDelegateModelItem *cacheItem = it->inCache() ? m_cache.at(it.cacheIndex) : 0; if (!cacheItem || !cacheItem->delegate) { - QQmlComponent *delegate = resolveDelegate(it.modelIndex()); + QQmlComponent *delegate = resolveDelegate(modelIndex); if (!delegate) return nullptr; @@ -1226,17 +1228,17 @@ QObject *QQmlDelegateModelPrivate::object(Compositor::Group group, int index, QQ // all related properties, and return the object (which // has already been incubated, otherwise it wouldn't be in the pool). addCacheItem(cacheItem, it); - reuseItem(cacheItem, index, it->flags); + reuseItem(cacheItem, index, flags); cacheItem->referenceObject(); return cacheItem->object; } // Since we could't find an available item in the pool, we create a new one - cacheItem = m_adaptorModel.createItem(m_cacheMetaType, it.modelIndex()); + cacheItem = m_adaptorModel.createItem(m_cacheMetaType, modelIndex); if (!cacheItem) return nullptr; - cacheItem->groups = it->flags; + cacheItem->groups = flags; addCacheItem(cacheItem, it); } -- cgit v1.2.3