QCache: fix potential crash in trim()

We use raw pointers to the Nodes in the QHash which is inherently fine, but we are then subject to invalidation when nodes are moved around during deletion. In trim() we don't actually need to iterate the linked-list since the node we are interested in is always chain.prev Pick-to: 6.3 6.2 6.2.3 Fixes: QTBUG-99710 Task-number: QTBUG-99224 Task-number: QTBUG-99240 Change-Id: I9c2ed69b29e3cadca013113a3553deb44d7382fc Reviewed-by: Lars Knoll <lars.knoll@qt.io> Reviewed-by: Jarek Kobus <jaroslaw.kobus@qt.io>
author: Mårten Nordheim <marten.nordheim@qt.io> 2022-01-11 17:19:00 +0100
committer: Mårten Nordheim <marten.nordheim@qt.io> 2022-01-12 14:27:59 +0000
commit: 8c5e31536ac74f643d4dd371d281fd9416864a45 (patch)
tree: 9a849c776c7a1e3c029154eeea559b3eb0363475 /src/corelib/tools/qcache.h
parent: 5cc5ba8aacc95974e79f7bec224f9222104f1620 (diff)
1 files changed, 3 insertions, 5 deletions
diff --git a/src/corelib/tools/qcache.h b/src/corelib/tools/qcache.h
index f3b3f0b677..72a456890f 100644
--- a/src/corelib/tools/qcache.h
+++ b/src/corelib/tools/qcache.h
@@ -164,11 +164,9 @@ class QCache
 
     void trim(qsizetype m) noexcept(std::is_nothrow_destructible_v<Node>)
     {
-        Chain *n = chain.prev;
-        while (n != &chain && total > m) {
-            Node *u = static_cast<Node *>(n);
-            n = n->prev;
-            unlink(u);
+        while (chain.prev != &chain && total > m) {
+            Node *n = static_cast<Node *>(chain.prev);
+            unlink(n);
         }
     }
author	Mårten Nordheim <marten.nordheim@qt.io>	2022-01-11 17:19:00 +0100
committer	Mårten Nordheim <marten.nordheim@qt.io>	2022-01-12 14:27:59 +0000
commit	8c5e31536ac74f643d4dd371d281fd9416864a45 (patch)
tree	9a849c776c7a1e3c029154eeea559b3eb0363475 /src/corelib/tools/qcache.h
parent	5cc5ba8aacc95974e79f7bec224f9222104f1620 (diff)