diff options
author | Shawn Rutledge <shawn.rutledge@qt.io> | 2020-02-24 16:23:27 +0100 |
---|---|---|
committer | Shawn Rutledge <shawn.rutledge@qt.io> | 2020-02-28 09:31:59 +0100 |
commit | 7447e2b337f12b4d04935d0f30fc673e4327d5a0 (patch) | |
tree | e6dfaac556c0e2ccb745bd9d13145b2ed3690f1d /src/gui/text/qtextmarkdownimporter_p.h | |
parent | eaf7f572bfbcb33b106097923f4e0efdd9c683fc (diff) |
QTextMarkdownImporter: fix use after free; add fuzz-generated tests
It was possible to end up with a dangling pointer in m_listStack.
This is now avoided by using QPointer and doing nullptr checks before
accessing any QTextList pointer stored there.
We have 2 specimens of garbage that caused crashes before; now they don't.
But only fuzz20450 triggered the dangling pointer in the list stack.
The crash caused by fuzz20580 was fixed by updating md4c from upstream:
4b0fc030777cd541604f5ebaaad47a2b76d61ff9
Change-Id: I8e1eca23b281256a03aea0f55e9ae20f1bdd2a38
Reviewed-by: Robert Loehning <robert.loehning@qt.io>
Diffstat (limited to 'src/gui/text/qtextmarkdownimporter_p.h')
-rw-r--r-- | src/gui/text/qtextmarkdownimporter_p.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/gui/text/qtextmarkdownimporter_p.h b/src/gui/text/qtextmarkdownimporter_p.h index f450da5eb3..e3b4bcd0f2 100644 --- a/src/gui/text/qtextmarkdownimporter_p.h +++ b/src/gui/text/qtextmarkdownimporter_p.h @@ -113,7 +113,7 @@ private: #endif QString m_blockCodeLanguage; QVector<int> m_nonEmptyTableCells; // in the current row - QStack<QTextList *> m_listStack; + QStack<QPointer<QTextList>> m_listStack; QStack<QTextCharFormat> m_spanFormatStack; QFont m_monoFont; QPalette m_palette; |