QTextMarkdownImporter: fix use after free; add fuzz-generated tests

It was possible to end up with a dangling pointer in m_listStack. This is now avoided by using QPointer and doing nullptr checks before accessing any QTextList pointer stored there. We have 2 specimens of garbage that caused crashes before; now they don't. But only fuzz20450 triggered the dangling pointer in the list stack. The crash caused by fuzz20580 was fixed by updating md4c from upstream: 4b0fc030777cd541604f5ebaaad47a2b76d61ff9 Change-Id: I8e1eca23b281256a03aea0f55e9ae20f1bdd2a38 Reviewed-by: Robert Loehning <robert.loehning@qt.io>
author: Shawn Rutledge <shawn.rutledge@qt.io> 2020-02-24 16:23:27 +0100
committer: Shawn Rutledge <shawn.rutledge@qt.io> 2020-02-28 09:31:59 +0100
commit: 7447e2b337f12b4d04935d0f30fc673e4327d5a0 (patch)
tree: e6dfaac556c0e2ccb745bd9d13145b2ed3690f1d /src/gui/text/qtextmarkdownimporter_p.h
parent: eaf7f572bfbcb33b106097923f4e0efdd9c683fc (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/gui/text/qtextmarkdownimporter_p.h b/src/gui/text/qtextmarkdownimporter_p.h
index f450da5eb3..e3b4bcd0f2 100644
--- a/src/gui/text/qtextmarkdownimporter_p.h
+++ b/src/gui/text/qtextmarkdownimporter_p.h
@@ -113,7 +113,7 @@ private:
 #endif
     QString m_blockCodeLanguage;
     QVector<int> m_nonEmptyTableCells; // in the current row
-    QStack<QTextList *> m_listStack;
+    QStack<QPointer<QTextList>> m_listStack;
     QStack<QTextCharFormat> m_spanFormatStack;
     QFont m_monoFont;
     QPalette m_palette;
author	Shawn Rutledge <shawn.rutledge@qt.io>	2020-02-24 16:23:27 +0100
committer	Shawn Rutledge <shawn.rutledge@qt.io>	2020-02-28 09:31:59 +0100
commit	7447e2b337f12b4d04935d0f30fc673e4327d5a0 (patch)
tree	e6dfaac556c0e2ccb745bd9d13145b2ed3690f1d /src/gui/text/qtextmarkdownimporter_p.h
parent	eaf7f572bfbcb33b106097923f4e0efdd9c683fc (diff)