diff options
| author | Thiago Macieira <thiago.macieira@intel.com> | 2017-04-07 13:12:05 -0700 |
|---|---|---|
| committer | Thiago Macieira <thiago.macieira@intel.com> | 2017-04-11 06:21:35 +0000 |
| commit | ea0c25365744d4da0ab1be5afbb55ebdfe8b2064 (patch) | |
| tree | 0d0ec49b926b37e0258b644add8e861f22fb337d | |
| parent | f3938b87972dd1ede65ca2a41af0e5c38a418c2f (diff) | |
QMap: fix UB (invalid cast) in QMapData::end()
The end() pointer, like in all other containers, is a sentinel value
that must never be dereferenced. But unlike array-based containers,
end() in QMap is not "last element plus one", but points to a base class
of Node, not a full Node.
Therefore, the casting from QMapNodeBase to QMapNode must not be a
static_cast, reinterpret_cast is required.
libstdc++-v3's red-black tree had the exact same problem:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=60734
Change-Id: I43f05fedf0b44314a2dafffd14b33697861ae589
Reviewed-by: Marc Mutz <marc.mutz@kdab.com>
(cherry picked from commit 75cdf654bcc192ba73a8834e507583a59140e7e4)
Reviewed-by: Ville Voutilainen <ville.voutilainen@qt.io>
| -rw-r--r-- | src/corelib/tools/qmap.h | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/corelib/tools/qmap.h b/src/corelib/tools/qmap.h index 7b5a643a1e..08565dfe9b 100644 --- a/src/corelib/tools/qmap.h +++ b/src/corelib/tools/qmap.h @@ -207,8 +207,10 @@ struct QMapData : public QMapDataBase Node *root() const { return static_cast<Node *>(header.left); } - const Node *end() const { return static_cast<const Node *>(&header); } - Node *end() { return static_cast<Node *>(&header); } + // using reinterpret_cast because QMapDataBase::header is not + // actually a QMapNode. + const Node *end() const { return reinterpret_cast<const Node *>(&header); } + Node *end() { return reinterpret_cast<Node *>(&header); } const Node *begin() const { if (root()) return static_cast<const Node*>(mostLeftNode); return end(); } Node *begin() { if (root()) return static_cast<Node*>(mostLeftNode); return end(); } |