Fix crash when detaching dangling QTextCursor

When a QTextCursor survives its QTextDocument, the internal
QTextDocumentPrivate pointer is set to null. There are checks for
this in all the QTextCursor functions to skip out early if such
a QTextCursor is used.

However, when executing the "if (d->priv)" condition in setters,
this will access the non-const operator->() of QSharedDataPointer
and detach the QTextCursorPrivate, and in the copy constructor of
this class, there was an unprotected call into priv->addCursor().

In theory, we could cast all the checks for d->priv to avoid
detaching, but in practice this doesn't matter, since the setters
will typically detach anyway later on.

[ChangeLog][QtGui][Text] Fixed a crash that can happen when calling
a setter on a QTextCursor after its QTextDocument has been deleted.

Task-number: QTBUG-70293
Change-Id: I8f6dc5bb344d1d824f673c0c220b68b7fee237a8
Reviewed-by: Konstantin Ritt <ritt.ks@gmail.com>
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>

1 files changed, 2 insertions, 1 deletions

diff --git a/src/gui/text/qtextcursor.cpp b/src/gui/text/qtextcursor.cpp
index f32c31d18e..af8fcf369c 100644
--- a/src/gui/text/qtextcursor.cpp
+++ b/src/gui/text/qtextcursor.cpp
@@ -80,7 +80,8 @@ QTextCursorPrivate::QTextCursorPrivate(const QTextCursorPrivate &rhs)
     visualNavigation = rhs.visualNavigation;
     keepPositionOnInsert = rhs.keepPositionOnInsert;
     changed = rhs.changed;
-    priv->addCursor(this);
+    if (priv != nullptr)
+        priv->addCursor(this);
 }
 
 QTextCursorPrivate::~QTextCursorPrivate()